Control Connections

addressfamily

  • Version 7.5 and earlier: addressfamily setting not available.
  • Version 8.0 and later: addressfamily setting available.

To support both IPv4 and IPv6 connections, Privilege Management for Unix and Linux uses protocol-independent methods for host name resolution. If Privilege Management for Unix and Linux is installed on a single stack node (ipv4-only or ipv6-only), the addressfamily setting may help make host name resolution more efficient by specifying which address family Privilege Management for Unix and Linux should use.

addressfamily <ipv4 | ipv6 | any>
ipv4 Use IPv4 only.
ipv6 Use IPv6 only.
any The network configuration on the host determines the address family. On dual- or hybrid-stack implementations, IPv4 or IPv6 may be requested/used. This is the default behavior if the keyword is not specified.
addressfamily ipv4

No default value

  • Policy server hosts
  • Log hosts
  • Submit hosts
  • Run hosts

allowlocalmode

  • Version 4.0.0 and later: allowlocalmode setting available.

Deprecated in favor of Optimized Run Mode.

When there is no need for ACA, or to record the finish of an event in the event logs or process keystrokes, local mode can bypass some of the overhead of using a full session. Local mode changes the way in which the Privilege Management for Unix and Linux job stream is set up. Using local mode bypasses pblocald entirely. The submit host asks pbmasterd to run its usual policy and log the start of the event. If accepted, the target program overlays the client instead of running through pblocald. In this case, there can be no logging of the exit status or forbidden or warning I/O sequences.

Local mode is usually started through the command line by using the -l option of pbrun (pbrun -l command), or by setting runlocalmode to true in the policy.

To disallow local mode, you can set allowlocalmode to no in the your settings file. In a submit host settings file, this setting disallows the use of the -l command line switch.

On a policy server host, setting allowlocalmode to no is the equivalent of:

runlocalmode = false;
readonly runlocalmode;

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

allowlocalmode no
allowlocalmode yes
  • Policy server hosts
  • Run hosts
  • Submit hosts

For more information, please see Optimized Run Mode Processing.

allowremotejobs

  • Version 3.5 and earlier: allowremotejobs setting not available.
  • Version 4.0 and later: allowremotejobs setting available.

Privilege Management for Unix and Linux allows commands to execute on machines other than the one that submits the request. This action can be specified, for example, through the -h option of pbrun or in the policy file. The allowremotejobs setting controls this feature.

In version 7.1 and later, the submitremotejobs keyword also affects this feature. When the submitremotejobs keyword is not present, the allowremotejobs keyword functions exactly as prior versions functioned.

In version 7.0 and earlier, and with version 7.1 where the submitremotejobs keyword is not present on the submit host, setting allowremotejobs to no disables the use of the -h command line switch of pbrun.

On the run host, setting allowremotejobs to no makes pblocald reject all commands that did not originate on the run host.

On the policy server host, setting allowremotejobs to no makes pbmasterd reject all commands where the run host is different from the client host. In addition, runhost is set to the IP address of the submitting host and made read-only. Because the run host is resolved by IP address, this setting can be used to prevent run host spoofing in environments that do not use remote commands.

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

allowremotejobs no
allowremotejobs yes
  • Policy server hosts
  • Run hosts
  • Submit hosts

submitremotejobs

  • Version 7.0 and earlier: submitremotejobs setting not available.
  • Version 7.1 and later: submitremotejobs setting available.

Privilege Management for Unix and Linux allows commands to execute on machines other than the one that submits the request. This action can be specified, for example, through the -h option of pbrun or in the policy file.

On the submit host, setting submitremotejobs to yes/no enables/disables the use of the -h command line switch of pbrun. If the submitremotejobs keyword is not present, the allowremotejobs keyword is used to enable/disable this feature.

submitremotejobs no
submitremotejobs yes

Submit hosts

tcpkeepalive

  • Version 4.0 and later: tcpkeepalive setting available.

The tcpkeepalive setting enables TCP keepalive signals on all Privilege Management connections to or from the local host.

tcpkeepalive yes
tcpkeepalive no
  • Log hosts
  • Policy server hosts
  • Run hosts
  • Submit hosts