Chapter Contents
Previous
Next
Communications Access Methods for SAS/CONNECT and SAS/SHARE Software

Starting the UNIX Spawner Program

As an alternative method to signing on through the TELNET daemon, the UNIX spawner program allows SAS/CONNECT sessions on UNIX systems without requiring that username and password pairs be passed over the network in clear text mode.

If the local SAS session is running Release 6.09E or a subsequent release or Release 6.11 TS040 or a subsequent release, all data that flow from the local host to the spawner program during sign on are encrypted.

Unlike the TELNET sign-on process, the UNIX spawner program allows sign ons to a UNIX system without scripts. In most cases, you should run the UNIX spawner using the root privilege in order to start the remote SAS processes with the privileges of the user who connects to the spawner.

For connections to a UNIX remote host with the TCP/IP access method, SAS/CONNECT uses the default authentication program to verify the remote host's userid and to verify that the password is correct for the specified userid. A SAS/CONNECT user implicitly invokes the authentication program when making a connection to a UNIX remote host by means of the UNIX spawner program.

The spawner program is stored on the remote host in the !sasroot/ utilities/bin directory.

Here is the syntax for the command to start the UNIX spawner program:

SASTCPD <-BACKGROUND>
<-HELP>
<-NETENCRYPTALGORITHM=("algorithm1", "algorithm2" ... )>
<-NETENCRYPT=YES | NO>
<-NETENCRYPTKEYLEN=n>
<-NETMAC | -NONETMAC>
<-NOCLEARTEXT>
<-NOSCRIPT>
<-PATH filename>
<-SASCMD filename>
<-SERVICE service-name>
<-SHELL>
<-USER>

-BACKGROUND
specifies that the UNIX spawner program run as a background process. The default specifies that the spawner program run in the foreground.

-HELP
prints a list of valid parameters.

-NETENCRYPTALGORITHM=("algorithm1", "algorithm2", ...)
If you specify more than one algorithm, enclose the algorithm names in parenthesis and use commas to separate the names. If there are embedded blanks in the algorithm name, enclose each algorithm in quotation marks.

The alias is NETENCRALG.

Set this option at the server and, optionally, at the client to specify one or more encryption algorithms to use in a SAS/SHARE client/server session. However, the client and the server must share an encryption algorithm in common. If you specify the option in the server session only, the client side attempts to select an algorithm that was specified at the server. If you also set the option at the client and specify an algorithm that is not specified at the server, the client's attempt to connect to that server fails when the client assigns a library.

Valid values for this option are
RC2
RC4
DES
TripleDES
SAS Proprietary.

See the SAS/CONNECT User's Guide or the SAS/SHARE User's Guide for more information about the NETENCRYPTALGORITHM= option.

-NETENCRYPT=YES|NO
or
-NETENCRYPT | -NONETENCRYPT
Set this option at both the client and the server. At the server, this option specifies that encryption is required for each connection from a client SAS session. At the client, this option specifies that the client must connect only to a server that supports encryption.

The alias is NETENCR.

The default for this option is that encryption is used if the NETENCRYPTALGORITHM option is set and if both the client and server sides are capable of encryption. If encryption algorithms were specified but either the client or the server side is incapable of encryption, then encryption will not be performed.

Encryption may not be supported at the client or the server for the following reasons:

See the SAS/CONNECT User's Guide or the SAS/SHARE User's Guide for more information about the -NETENCRYPT= option.

-NETENCRYPTKEYLEN=n
You set this option in either the client or the server SAS session. It specifies the key length to be used by the encryption algorithm.

Valid values for this option are
128 specifies strong encryption (1024-bit RSA and 128-bit RC2 and RC4 key algorithms).
40 specifies weak encryption (512-bit RSA and 40-bit RC2 and RC4 key algorithms).
0 no value is set. This is the default.

If you require the extra security provided by strong encryption, then set the -NETENCRYPTKEYLEN option to 128. If you prefer weak encryption in order to save CPU, then set the -NETENCRYPTKEYLEN option to 40.

By default, if you try to connect to a host that is capable of only weak encryption with a host that is capable of both strong and weak encryption, the connection is made with weak encryption. If both hosts are capable of strong and weak encryption, then strong encryption is used.

See the SAS/CONNECT User's Guide or the SAS/SHARE User's Guide for more information about the -NETENCRYPTKEYLEN= option.

-NETMAC | -NONETMAC
Set this option to control the use of Message Authentication Codes (MACs) on network communications. A Message Authentication Code is the equivalent of a checksum that is used to ensure that the original message has not been modified.

This option may be set at either the client or the server. The default is -NETMAC.

See the SAS/CONNECT User's Guideor the SAS/SHARE User's Guide for more information about the -NETMAC option.

-NOCLEARTEXT
prevents a sign on from a client that does not support username and password encryption. This option prevents clients in a SAS session that are running releases prior to 6.09E and 6.11 TS040 from signing on to the spawner program. The default is to accept both encrypted and clear-text userids and passwords. This allows clients in a SAS session that are running releases prior to 6.09E and 6.11 TS040 to sign on to the UNIX spawner program.

-NOSCRIPT
prevents sign ons from clients that use scripts, and allows sign ons only from clients that do not use scripts.

For the TCP/IP access method, the spawner program requires a script file, or it will verify the userid and the password assigned to the variable TCPSEC. See SAS/CONNECT and SAS/SHARE TCPSEC Variable for details about setting TCPSEC.

If you use the -NOSCRIPT option, you must also use the -SASCMD option.

-PATH pathname
specifies the location of the encryption algorithms (-NETENCRYPTALGORITHM, -NETENCRYPT, -NETENCRYPTKEYLEN, and -NETMAC) on your system. Also, if you invoke an encryption algorithm, you must specify the -PATH option. Ask your system administrator for the pathname information.

-SASCMD filename
specifies the name of an executable file that starts a SAS session when you sign on without a script. If the RLINK fileref is not defined in the local client SAS session, then the user is signing on without a script. In this case, the -SASCMD option must be specified.

Here is an example of the content of an executable file that starts a SAS session: 


#----------------------------------
# mystartup
#----------------------------------
#!/bin/ksh
. ~/.profile
sas -dmr -noterminal -no\$syntaxcheck 
    -device grlink -comamid tcp
#------------------------------

-SERVICE service-name
specifies the name of the service that the UNIX spawner program uses to listen for incoming requests. This value is identical to the service value in the REMOTE= option that the user specifies at the local host prior to sign on. Because there is no default, you must specify this value. See Specifying the Remote Node Name for details.

The service name must be defined identically in the /etc/services file on both the local and remote hosts. See Configuring the SERVICES File for more information about the /etc/services file.

-SHELL
allows the SAS session that is invoked by the UNIX spawner program to create a shell. A shell is necessary for the remote host to execute commands.

-USER
allows the UNIX spawner program to run without root privileges. SAS assumes the security status of the user or the administrator who started the spawner program. The default action is to assume the privileges of the user whose username and password are given to the UNIX spawner program.

Note:   Because some UNIX systems require root privilege in order to validate passwords, this option may not work on all UNIX systems.  [cautend]

Examples of Starting and Connecting to the UNIX Spawner Program

The following examples illustrate how to start the spawner program and how to connect to it.

Example 1:

The following command starts the spawner program at the remote UNIX host with the service spawner and allows connections only from clients that support username and password encryption. 


sastcpd -service spawner -nocleartext

At a Windows NT client host, the following statements specify a script file named tcpunix.scr that makes a connection to the spawner program named monarch.spawner. The value monarch for REMOTE= is the name of the UNIX node, or it can be a macro variable that contains the Internet address of the UNIX node where the spawner program is running. 


options comamid=tcp;
options remote=monarch.spawner;
filename rlink '!sasroot\connect\saslink\tcpunix.scr';
signon;

Example 2:

From the UNIX node that will be the remote side of a SAS/CONNECT session, the following command starts the spawner program with the service name spawner, which supports only sign ons without scripts. 


sastcpd -service spawner -noscript -sascmd 
        /u/username/mystartup

The mystartup file starts the remote SAS session. See the -SASCMD option for an example of the content of the mystartup executable file.

At a Windows NT client, the following statements use the TCPSEC macro variable for passing the userid bass and the password time2go to the remote host rmthost and to connect to the spawner program spawner. The value rmthost must be either the node name of the UNIX node or a macro variable that contains the Internet address of the UNIX node where the spawner program is running. 


options comamid=tcp;
%let tcpsec=bass.time2go;
signon rmthost.spawner;

Ending the UNIX Spawner Program

To end the spawner program, enter the interrupt signal, which typically is CTRL-C. If the UNIX spawner is running in the background, kill its process.


Chapter Contents
Previous
Next
Top of Page

Copyright © 1999 by SAS Institute Inc., Cary, NC, USA. All rights reserved.