diff options
| author | Thorsten Kukuk <kukuk@suse.com> | 2024-11-14 10:27:28 +0100 |
|---|---|---|
| committer | Thorsten Kukuk <kukuk@suse.com> | 2024-11-18 23:09:45 +0100 |
| commit | 940747f88c16e029b69a74e80a2e94f65cb3e628 (patch) | |
| tree | a116319f772564a78195b095305723f3f00103fb /modules/pam_access/pam_access.8.xml | |
| parent | 37b416c152ed833dcc55c84068c77eb713748d24 (diff) | |
| download | pam-940747f88c16e029b69a74e80a2e94f65cb3e628.tar.gz pam-940747f88c16e029b69a74e80a2e94f65cb3e628.tar.bz2 pam-940747f88c16e029b69a74e80a2e94f65cb3e628.zip | |
pam_access: rework resolving of tokens as hostname
* modules/pam_access/pam_access.c: separate resolving of IP addresses
from hostnames. Don't resolve TTYs or display variables as hostname
(#834).
Add "nodns" option to disallow resolving of tokens as hostname.
* modules/pam_access/pam_access.8.xml: document nodns option
* modules/pam_access/access.conf.5.xml: document that hostnames should
be written as FQHN.
Diffstat (limited to 'modules/pam_access/pam_access.8.xml')
| -rw-r--r-- | modules/pam_access/pam_access.8.xml | 46 |
1 files changed, 31 insertions, 15 deletions
diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml index c991d7a0..71a4f7ee 100644 --- a/modules/pam_access/pam_access.8.xml +++ b/modules/pam_access/pam_access.8.xml @@ -23,10 +23,13 @@ debug </arg> <arg choice="opt" rep="norepeat"> + noaudit + </arg> + <arg choice="opt" rep="norepeat"> nodefgroup </arg> <arg choice="opt" rep="norepeat"> - noaudit + nodns </arg> <arg choice="opt" rep="norepeat"> quiet_log @@ -134,6 +137,33 @@ <varlistentry> <term> + nodefgroup + </term> + <listitem> + <para> + User tokens which are not enclosed in parentheses will not be + matched against the group database. The backwards compatible default is + to try the group database match even for tokens not enclosed + in parentheses. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + nodns + </term> + <listitem> + <para> + Do not try to resolve tokens as hostnames, only IPv4 and IPv6 + addresses will be resolved. Which means to allow login from a + remote host, the IP addresses need to be specified in <filename>access.conf</filename>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> quiet_log </term> <listitem> @@ -185,20 +215,6 @@ </listitem> </varlistentry> - <varlistentry> - <term> - nodefgroup - </term> - <listitem> - <para> - User tokens which are not enclosed in parentheses will not be - matched against the group database. The backwards compatible default is - to try the group database match even for tokens not enclosed - in parentheses. - </para> - </listitem> - </varlistentry> - </variablelist> </refsect1> |