ttyadmin - administration of user access routes


ttyadmin -a -l user -z route [-Z programdef] [-b start time] [-e end time] [-w days of week] [-m modifiers]
ttyadmin -r -l user -z route [-Z programdef] [-b start time] [-e end time] [-w days of week] [-m modifiers]
ttyadmin -y [-v] -z route
ttyadmin -s display_opts [-l user]
ttyadmin -T [-l user]
ttyadmin -N [-l user]
ttyadmin -A
ttyadmin -L A|P|C
ttyadmin -S


Ttyadmin administers user access routes for BoKS users (see routeadm(1B) for administrating user class
access routes). A BoKS user must have an access route allocated by ttyadmin to be able to access the system
through BoKS.
A user may be authorized to access the system from any number of access routes. A user may also have
several authorizations per route. At access time all the entries are scanned for a possible match.


Revoke authorization.
-s display_opts
List authorizations. display_opts is one or more of the characters hPsT. Exactly one of P and T
should be included. T displays a table. P produces a terser format, similar to the output from -T.
h adds a header. s suppresses a delimiting line following the header.

Authorize a user to access the system using the specified access route. The user must previously
have been created by mkbks(1B).

List access routes through which a user is authorized to access the system. If no access route is
specified, all routes which at least one user is authorized to access are shown.
The negation of -T.
Show all known terminals. This is done by scanning the /dev directory for possible terminals.
-l user
Specify user.
-z route
This option is used to specify a full access route in the format:
The following are some of the access methods which may be specified:
TELNET Access using the telnet protocol
RLOGIN Login using the rlogin program
XDM Loginfrom a X-terminal
RSH Remoteexecution/copy using the rsh and rcp commands
REXEC Remoteexecution using rexec
FTP Filetransfer using ftp
LOGIN Login through a standard tty
SU Changing user id using the su command
SUEXEC Executing a program as another user using the
suexec program
WINLOGIN Login at Windows console
WINRDP Remote Windows Login
WINRUNAS Execute a program as another Windows user
WINNETSHARE Windows Netlogon (the FromHost field is ignored for
this method)
BOKSADM Remote administration
* All methods except BOKSADM

Methods may be entered either upper or lower case letters. The wild card ’*’ may be used. Surround
the access route with single quotes.

If the access method is SU, SUEXEC or LOGIN the FromHost part should be a valid terminal name
instead of a host. For the WINRUNAS access method the FromHost part should alway be set to wild card
’*’ as terminals are currently not supported on Windows. If the access method is SU, SUEXEC or WINRUNAS
ToHost should be the name of the user, or user@host (to restrict access to a specific host or hostgroup)
where "user" is only the user name part of the BoKS username.
-Z programdef
Should be used used for SUEXEC, WINRUNAS and NETSHARE routes to specify program
component or program group or, for NETSHARE, the share name. Programdef may be just the
full path of a program (any arguments allowed), full path followed by "" (no arguments allowed)
or full path followed by an expression as accepted by fnmatch to specify what arguments are
allowed to match. It may also be the name of a program group. For the WINRUNAS access
method the program path component must always be enclosed in double quotes. See the PROGRAM
DEFINITION section for details.

-b start time
Specifies the start time, since midnight, for access through the specified route. The format is
HH[MM] or HH:[MM] where HH is hours (24 hour clock) and MM is minutes.

-e end time
End time. See -b for a format description.

-w days of week
Day of week for access through the specified route. The format is a string with digits (1-7) without
any spaces. 1 is Monday and 7 is Sunday. Example: -w12356 means Monday, Tuesday, Wednesday,
Friday and Saturday. The default for days of week is Monday through Friday (-w12345). The
day 8 means working day. Working day is defined as Monday through Friday except days which
are holidays as given by holidays(4).

-m modifiers
Used to specify any modifiers (options) for the access route. The authentication method modifiers
locked accessroute locked
syspsw systempassword
psw userpassword
psw,syspsw system and user password
uucp,psw compatibility mode (e.g. use with uucp)
stdlogin standard UNIX login (BoKS off)
Usefrom-users password generator on SU and SUEXEC
use_frompsw Ask for from-user’s password on SU and SUEXEC
bosas BoKS-to-BoKS automatic authentication
alltaas "Allterminal" validation with smart cards
securid SecurID password generator if user has one
hardsecurid SecurID password generator must always be used
desgold Safeword token if user has one
harddesgold Safeword token must always be used
Use LDAP bind authentication if user has ldap authenticator
hardldapauth LDAP bind authentication must always be used
kerberos Usekerberos authentication if user has kerberos authenticator (SU, SUEXEC and SSH only)
hardkerberos kerberos authentication must be used (SU, SUEXEC and SSH only)
optional_kerberos Same as kerberos, but fallback authentication can be used if client does not support kerberos or kerberos_ticket only is set and no ticket is available.(SU, SUEXEC and SSH only)
kerberos_allow_ticket For SU and SUEXEC, when kerberos authentication is to be used, allow authentication with kerberos ticket if present. No password will be required. Use with care.
kerberos_ticket_only When kerberos authentication is to be used, only try kerberos ticket, not kerberos password (SSH only)
kerberos_or_password When kerberos password authentication is to be used, if given password is not the correct kerberos password, check if it matches the BoKS password. (SSH only)
ssh_hb Hostbased SSH if the user has such authenticator
hard_ssh_hb Host based SSH must always be used
ssh_cert SSHX509v3 certificate authentication if user has such authenticator
hard_ssh_cert SSH X509v3 certificate authentication must always be used
ssh_pk PublicKey SSH if the user has such authenticator
hard_ssh_pk Public Key SSH must always be used
optional_ssh_cert Same as ssh_cert, but can be specified together with a fallback authentication method. E.g:
First try authenticating with ssh_cert, but if that fails (e.g. ssh client does not support X509v3 certificates), then try public key.
optional_ssh_pk Same as ssh_pk, but can be specified together with a fallback authentication method. e.g:
It should be noted that the SSH authentication methods only applies to routes for the ’SSH’
Access Method.
Example of other modifiers are:

The login process will execute the chroot(1) command, using the given path.
Only valid for SSH routes.
Run suexec command in touser environment, see suexec (1B).
Checks that SUEXEC program path components not are writable by users/groups other than trusted system users/groups.
Trusted system UIDs and GIDs are 0,1,2 and 3.
The SUEXEC safepath modifier can only be applied on the SUEXEC access route.
For more information about modifiers and a complete list, please see $BOKS_etc/method.conf

Used to check if a access route entered together with the -z option is valid.

Verbose mode, used together with -y.

-L A|P|C
A List all defined access routes.
P List all pre-defined access routes.
C List all custom-defined access routes.
-S List all users access routes.
-#level Turn on debug with the level specified.


A program definition is used for SUEXEC or WINRUNAS and specifies what programs a user may run and
with what arguments. It may be just the full path of a program, or there may be a space separated list specifying
what arguments match. No list means any arguments are allowed, "" means no arguments are
allowed, otherwise the list is an expression that must match the arguments given.
Note, program and arguments are assumed to be separated by exactly one space. Any extra spaces are
assumed to be part of the argument.

Rules for expression matching:

[abc] matches a, b or c
[a-z] matches any character in the range a-z
[!abc] matches any character but a, b and c
[-a] matches - or a
[[a] matches [or a
[]a] matches ] or a
* matches zero or more of any characters except within []
? matches any one character except within []
backslash escapes the meaning of any character except within []
Other characters match themselves


To enable user host1:bill to login through terminal tty34 between 8am and 5pm from Monday through

ttyadmin -a -l host1:bill -z ’LOGIN:tty34->host1’ -b 0800 -e 23 -w 123

ttyadmin supports multiple access route entries. So if user host1:bill only works in the afternoon on Thursdays
and Fridays the following should also be entered:

ttyadmin -a -l host1:bill -z ’LOGIN:tty34->host1’ -b 1300 -e 23 -w 45

To revoke user host1:bill’s authorization on terminal tty34:

ttyadmin -r -l host1:bill -z ’LOGIN:tty34->host1’

The following authorizes the user balder:tom to always access the host balder from the host foo through
the ftp server:

ttyadmin -a -l balder:tom -z ’FTP:foo->balder’ -w 1234567

The following allows the user balder:tom to run the mount command with the specified options as root on
the machine balder.

ttyadmin -a -l balder:tom -z ’suexec:*->root@balder’ -Z ’/bin/mount -t iso9660 /cdrom’

The access route below allows user balder:tom to start the telnet service as user administrator.

ttyadmin -a -l balder:tom -z ’winrunas:*->administrator@balder’ -Z ’"c:\windows\system32\net" start telnet’


mkbks(1B), pgrpadmin(1B), routeadm(1B), chroot(1), $BOKS_etc/method.conf

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: December 19, 2018