SYSADMD(1M)SYSADMD(1M)NAMEsysadmd - system administration daemon
SYNOPSIS
/usr/sysadm/bin/sysadmd [ -a auth-schemes ] [ -f log-file ]
[ -l log-filterP ] [ -p protocol ] [ -s ]
DESCRIPTIONsysadmd is a server daemon that allows clients to perform remote system
administration. sysadmd can either be started directly by inetd(1M) or
started by rshd(1M) (or any other remote shell server), depending on the
connection protocol chosen by the client and permitted by the server.
When sysadmd is started by inetd, it requires the client to provide a
valid login and password before allowing the client any kind of access to
the system. Like login(1), sysadmd does not accept passwords which have
aged beyond the limit, does not allow access to accounts which have been
inactive for too long, does not allow users with no passwords to log in
if passwords are mandatory, and locks out accounts after too many failed
login attempts. Unlike login, sysadmd does not ever prompt the user for
a new password; instead, the login attempt that requires a new password
fails. sysadmd is initially started as root (since it is started by
inetd), but it calls the setuid(2) system call with the user id provided
by the client once a valid login and password have been provided.
The login and password are transmitted across the network without any
kind of encryption, and thus sysadmd should be configured to refuse inetd
connections from clients on untrusted networks (see CONFIGURATION FILE
below).
sysadmd supports the gathering of system information for display by the
client via category plug-ins, which are dynamic shared objects. sysadmd
supports the changing of configuration information via runpriv(1M). When
sysadmd invokes runpriv, the identity established at startup (either by
rshd or by sysadmd) is used. This means that non-root users will not be
able to make administrative changes to the system unless they either know
the root password or have been granted special privileges. See the
runpriv(1M) man page for more details.
Command Line Options
To modify the sysadmd command line as started from inetd, edit the
/etc/inetd.conf configuration file, and restart inetd by sending it a
SIGHUP signal as follows:
killall -HUP inetd
The command line used when sysadmd is started by rshd is under the
control of the client.
-a auth-schemes Specify the allowed client authentication schemes.
auth-schemes is a comma-separated list of
authentication schemes that sysadmd will accept.
Page 1
SYSADMD(1M)SYSADMD(1M)
Available schemes are unix and null. The default
scheme is unix, which requires a valid login/password
pair before sysadmd will respond to further requests.
The null authentication scheme does not require
authentication of any kind, and is intended for use
when sysadmd is started from rshd. Since rshd
implements its own authentication scheme, no further
authentication is required on the part of sysadmd.
-p protocol Specify the protocol used for communication with the
client. protocol must be either tcpmux or
remoteshell. tcpmux is the default, and is the
protocol used when sysadmd is started by inetd.
remoteshell is the protocol used when sysadmd is
stared by rshd.
-f log-file Specify a file or device for log output. This option
may be specified multiple times if logging to multiple
destinations is desired.
-s Specify that log messages should be send to
syslogd(1M). Note that sysadmd always logs login and
security related messages to syslogd.
-l log-filterP Specify the logging granularity. Each -l option is
applied to the previous -f or -s option. log-filter
is a string made up of the characters f (fatal
errors), e (non-fatal errors), w (warnings), i
(information messages), d (debug messages), and t
(execution trace). The default if no filter is
specified is fewi, which means that fatal errors,
errors, warnings, and information messages will be
logged. To see all messages, specify a filter of
fewidt.
CONFIGURATION FILE
The behavior of sysadmd can be modified via settings in the file
/var/sysadm/sysadmd.conf. The format of this file is a keyword, followed
by a colon, followed by a value, and terminated with a newline. A line
whose first character is a '#' is a comment, which extends until the next
newline character. An example configuration file is installed as
/var/sysadm/sysadmd.conf.example.
The following keys are meaningful to syadmd:
tcpmux.allowHosts Comma or space separated list of hosts which are
allowed to access sysadmd via inetd.
tcpmux.denyHosts Comma or space separated list of hosts which are
not allowed to access sysadmd via inetd.
Page 2
SYSADMD(1M)SYSADMD(1M)
The elements of the tcpmux.allowHosts and tcpmux.denyHosts lists can be
host names, IP Addresses, domain names, or networks. IP Addresses and
networks are specified via standard dot notation such as 192.0.2.1 (IP
Address) or 192.0.2 (network). Networks may also be specified by a pair
of numbers in dot notation specifying the network and the netmask, for
example 192.0.2.0/255.255.255.0. Domain names are distinguished from
host names by the presence of a leading '.' character: mars.sgi.com is
interpreted as a hostname and .sgi.com is interpreted as a domain name.
The keyword all can be used to match all hosts.
The order in which tcpmux.allowHosts and tcpmux.denyHosts appear in the
configuration file is significant. If tcpmux.allowHosts is first, then
hosts are denied access by default. A host must match the
tcpmux.allowHosts list and not match the tcpmux.denyHosts list in order
to access sysadmd.
If tcpmux.denyHosts is first, then hosts are allowed access by default.
A host must match the tcpmux.denyHosts list and not match the
tcpmux.allowHosts list in order to be denied access to sysadmd.
By default (with neither tcpmux.allowHosts nor tcpmux.denyHosts specified
in the configuration file), all hosts are allowed access to sysadmd.
Regardless of tcpmux.allowHosts or tcpmux.denyHosts settings, clients
must specify a valid login/password combination in order to be able to
access any of sysadmd's services. The tcpmux.allowHosts and
tcpmux.denyHosts settings have no effect when sysadmd is started by rshd.
tcpmux.denyMessage Message displayed by the client when access is
denied.
logFile File or device for logging output. If the -f
option is specified on the command line, the
logFile setting in the configuration file is
ignored.
logFile.filter Filter that specifies which messages are logged to
the file specified by the logFile setting. The
syntax of logFile.filter is the same as the syntax
of the argument to the -l command line option.
syslog.filter Filter for specifying which messages are logged to
syslogd. The syntax of syslog.filter is the same
as the syntax of the argument to the -l command
line option. This setting has no effect if the -s
option was specified on the command line.
FILES
/var/sysadm/sysadmd.conf Configuration file
/var/sysadm/sysadmd.conf.example Example Configuration file
/usr/sysadm/protocols/* Connection protocols
Page 3
SYSADMD(1M)SYSADMD(1M)
/usr/sysadm/services/authScheme/* Authentication schemes
/usr/sysadm/services/* sysadmd services
/usr/sysadm/category/* Category plug-ins.
login(1), listclients(1M), inetd(1M), rshd(1M), syslogd(1M), runpriv(1M),
chkconfig(1M), setuid(2).
Page 4