pam_access: clarify `LOCAL` keyword behaviour

* modules/pam_access/access.conf.5.xml: `LOCAL` keyword behaviour
  explanation was focused on the development internals. Let's clarify it
  by rephrasing it to something a sysadmin can understand.

Resolves: https://issues.redhat.com/browse/RHEL-39943
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>

1 files changed, 6 insertions, 11 deletions

diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
index 35a1a8fe..0b93db00 100644
--- a/modules/pam_access/access.conf.5.xml
+++ b/modules/pam_access/access.conf.5.xml
@@ -79,17 +79,12 @@
       with network mask (where network mask can be a decimal number or an
       internet address also), <emphasis>ALL</emphasis> (which always matches)
       or <emphasis>LOCAL</emphasis>. The <emphasis>LOCAL</emphasis>
-      keyword matches if and only if
-      <citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
-      when called with an <parameter>item_type</parameter> of
-      <emphasis>PAM_RHOST</emphasis>, returns <code>NULL</code> or an
-      empty string (and therefore the
-      <replaceable>origins</replaceable> field is compared against the
-      return value of
-      <citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>
-      called with an <parameter>item_type</parameter> of
-      <emphasis>PAM_TTY</emphasis> or, absent that,
-      <emphasis>PAM_SERVICE</emphasis>).
+      keyword matches when the user connects without a network
+      connection (e.g., <emphasis>su</emphasis>,
+      <emphasis>login</emphasis>). A connection through the loopback
+      device (e.g., <command>ssh user@localhost</command>) is
+      considered a network connection, and thus, the
+      <emphasis>LOCAL</emphasis> keyword does not match.
     </para>
 
     <para>