Host Name Verification

nameresolutiontimeout

  • Version 5.1.1 and earlier: nameresolutiontimeout setting not available.
  • Version 5.1.2 and later: nameresolutiontimeout setting available.

Privilege Management for Unix and Linux attempts to obtain fully qualified domain names when a pblogd, pbksh, pbsh, pblocald, pbmasterd, or pbrun session is started. The nameresolutiontimeout setting defines the timeout period, in seconds, to be used for the request to expire. The timeout period is an approximate time for the daemon (pbmasterd, pblocald, pblogd) to time out.

Setting nameresolutiontimeout to 0 disables this feature. The allowed timeout values range from 1 to 7200 seconds.

nameresolutiontimeout 30
nameresolutiontimeout 0
  • pblocald, pbksh, pbsh, pbrun
  • pblogd, pbmasterd

shortnamesok

  • Version 4.0.0 and later: shortnamesok setting available.

Privilege Management for Unix and Linux attempts to obtain fully qualified domain names for all hosts that are involved in a task request. If some of the name services return fully qualified names but others return only short names, you can instruct Privilege Management for Unix and Linux to check only the short name by setting shortnamesok to yes.

 

This option is intended as a temporary measure for discrepancies in a system’s name services. This option decreases security because it permits a partial name match (for example, two machines in different domains with the same short name would match). It is preferable to make the name services consistent whenever possible.

shortnamesok yes
shortnamesok no
  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

validatemasterhostname

  • Version 3.5 and earlier: validatemasterhostname setting not available.
  • Version 4.0 and later: validatemasterhostname setting available.

The validatemasterhostname setting enables the system administrator on the run host to perform an additional validation of the policy server host’s name against the run host’s name services. This action is done by looking up the connecting host’s IP address and checking the run host’s name services to see if it matches the masterhost variable that was looked up on the policy server host. When set to yes, the request is rejected if the names do not match.

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

validatemasterhostname yes
validatemasterhostname no

Run hosts

validateclienthostname

  • Version 3.5 and earlier: validateclienthostname not available.
  • Version 4.0 and later: validateclienthostname setting available.

The validateclienthostname setting enables the system administrator on the policy server host to perform an additional validation of the submit host’s name against the policy server host’s name services. This action is done by looking up the connecting host’s IP address and checking the policy server’s name services to see if it matches the clienthost variable that was looked up on the submit host. When set to yes, the request is rejected if the names do not match.

validateclienthostname yes
validateclienthostname no

Policy server hosts