client-server combo can be used to snoop (watch) on a user's login tty.
is usually started by getty(8) or telnetd(8) and reads the file
to find out which tty's should be cloned and which programs to run on them
(usually /bin/login). A tty may be snooped through a pre-determined (ie.
fixed) device, or through a dynamically allocated pseudo-tty (pty). This is
also specified in the
file. To connect to the pty, the client
should be used. The available pseudo terminals pty are present as
sockets in the directory /var/spool/ttysnoop/.
Format of /etc/snooptab
file may contain comment lines (starting with a '#'), empty lines, or entries
for tty's that should be snooped upon. The format of such an entry is as
tty snoop-device type program
is the leaf-name of the tty that should be snooped upon (eg. ttyS2, not
/dev/ttyS2) OR the wildcard '*', which matches ANY tty.
is the device through which
should be snooped (eg. /dev/tty8) OR the literal constant "socket". The
latter is used to tell
that the snoop-device will be a dynamically allocated pty.
specifies the type of program that should be run, currently recognized
types are "init", "user" and "login" although the former two aren't really
is the full pathname to the program to run when
The following example
file should illustrate the typical use of
# example /etc/snooptab
ttyS0 /dev/tty7 login /bin/login
ttyS1 /dev/tty8 login /bin/login
# the wildcard tty should always be the last one in the file
* socket login /bin/login
# example end
With the above example, whenever a user logs in on /dev/ttyS0 or /dev/ttyS1,
either tty will be snooped through /dev/tty7 or /dev/tty8 respectively. Any
other tty's will be snooped through a pty that will be allocated at the time
of login. The system-administrator can then run
to snoop through the pty. Note that it is up to the system-administrator to
setup getty and/or telnetd so that they execute
instead of /bin/login.