IRIX 6.5 » Man Pages
find in page
SYSADMD(1M)
NAME
sysadmd - system administration daemon
SYNOPSIS
/usr/sysadm/bin/sysadmd [ -a auth-schemes ] [ -f log-file ]
[ -l log-filterP ] [ -p protocol ] [ -s ]
DESCRIPTION
sysadmd is a server daemon that allows clients to perform remote system
administration. sysadmd is started by inetd(1M) when a client requests a
connection.
When sysadmd starts, it requires the client to provide a valid login and
password before allowing the client any kind of access to the system.
Like login(1), sysadmd does not accept passwords which have aged beyond
the limit, does not allow access to accounts which have been inactive for
too long, does not allow users with no passwords to log in if passwords
are mandatory, and locks out accounts after too many failed login
attempts. Unlike login, sysadmd does not ever prompt the user for a new
password; instead, the login attempt that requires a new password fails.
sysadmd is initially started as root (since it is started by inetd), but
it calls the setuid(2) system call with the user id provided by the
client once a valid login and password have been provided.
The login and password are transmitted across the network without any
kind of encryption, and thus sysadmd should be configured to refuse inetd
connections from clients on untrusted networks (see CONFIGURATION FILE
below).
sysadmd supports the gathering of system information for display by the
client via category plug-ins, which are dynamic shared objects. sysadmd
supports the changing of configuration information via runpriv(1M). When
sysadmd invokes runpriv, the identity established at startup is used.
This means that non-root users will not be able to make administrative
changes to the system unless they either know the root password or have
been granted special privileges. See the runpriv(1M) man page for more
details.
Command Line Options
To modify the sysadmd command line as started from inetd, edit the
/etc/inetd.conf configuration file, and restart inetd by sending it a
SIGHUP signal as follows:
killall -HUP inetd
-a auth-schemes Specify the allowed client authentication schemes.
auth-schemes is a comma-separated list of
authentication schemes that sysadmd will accept.
Currently, the only available scheme is unix, which
requires a valid login/password pair before sysadmd
will respond to further requests.
-p protocol Specify the protocol used for communication with the
client. Currently, the only available protocol is
tcpmux, which is the protocol used when sysadmd is
started by inetd.
-f log-file Specify a file or device for log output. This option
may be specified multiple times if logging to multiple
destinations is desired.
-s Specify that log messages should be send to
syslogd(1M). Note that sysadmd always logs login and
security related messages to syslogd.
-l log-filterP Specify the logging granularity. Each -l option is
applied to the previous -f or -s option. log-filter
is a string made up of the characters f (fatal
errors), e (non-fatal errors), w (warnings), i
(information messages), d (debug messages), and t
(execution trace). The default if no filter is
specified is fewi, which means that fatal errors,
errors, warnings, and information messages will be
logged. To see all messages, specify a filter of
fewidt.
CONFIGURATION FILE
The behavior of sysadmd can be modified via settings in the file
/var/sysadm/sysadmd.conf. The format of this file is a keyword, followed
by a colon, followed by a value, and terminated with a newline. A line
whose first character is a '#' is a comment, which extends until the next
newline character. An example configuration file is installed as
/var/sysadm/sysadmd.conf.example.
The following keys are meaningful to syadmd:
tcpmux.allowHosts Comma or space separated list of hosts which are
allowed to access sysadmd via inetd.
tcpmux.denyHosts Comma or space separated list of hosts which are
not allowed to access sysadmd via inetd.
The elements of the tcpmux.allowHosts and tcpmux.denyHosts lists can be
host names, IP Addresses, domain names, or networks. IP Addresses and
networks are specified via standard dot notation such as 192.0.2.1 (IP
Address) or 192.0.2 (network). Networks may also be specified by a pair
of numbers in dot notation specifying the network and the netmask, for
example 192.0.2.0/255.255.255.0. Domain names are distinguished from
host names by the presence of a leading '.' character: mars.sgi.com is
interpreted as a hostname and .sgi.com is interpreted as a domain name.
The keyword all can be used to match all hosts.
The order in which tcpmux.allowHosts and tcpmux.denyHosts appear in the
configuration file is significant. If tcpmux.allowHosts is first, then
hosts are denied access by default. A host must match the
tcpmux.allowHosts list and not match the tcpmux.denyHosts list in order
to access sysadmd.
If tcpmux.denyHosts is first, then hosts are allowed access by default.
A host must match the tcpmux.denyHosts list and not match the
tcpmux.allowHosts list in order to be denied access to sysadmd.
By default (with neither tcpmux.allowHosts nor tcpmux.denyHosts specified
in the configuration file), all hosts are allowed access to sysadmd.
Regardless of tcpmux.allowHosts or tcpmux.denyHosts settings, clients
must specify a valid login/password combination in order to be able to
access any of sysadmd's services.
tcpmux.denyMessage Message displayed by the client when access is
denied.
logFile File or device for logging output. If the -f
option is specified on the command line, the
logFile setting in the configuration file is
ignored.
logFile.filter Filter that specifies which messages are logged to
the file specified by the logFile setting. The
syntax of logFile.filter is the same as the syntax
of the argument to the -l command line option.
syslog.filter Filter for specifying which messages are logged to
syslogd. The syntax of syslog.filter is the same
as the syntax of the argument to the -l command
line option. This setting has no effect if the -s
option was specified on the command line.
FILES
/var/sysadm/sysadmd.conf Configuration file
/var/sysadm/sysadmd.conf.example Example Configuration file
/usr/sysadm/protocols/* Connection protocols
/usr/sysadm/services/authScheme/* Authentication schemes
/usr/sysadm/services/* sysadmd services
/usr/sysadm/category/* Category plug-ins.
login(1), listclients(1M), inetd(1M), syslogd(1M), runpriv(1M),
chkconfig(1M), setuid(2).
home/search |
what's new |
help
