diff options
Diffstat (limited to 'modules/pam_access/access.conf.5')
| -rw-r--r-- | modules/pam_access/access.conf.5 | 170 |
1 files changed, 0 insertions, 170 deletions
diff --git a/modules/pam_access/access.conf.5 b/modules/pam_access/access.conf.5 deleted file mode 100644 index fcd33bb4..00000000 --- a/modules/pam_access/access.conf.5 +++ /dev/null @@ -1,170 +0,0 @@ -.\" Title: access.conf -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> -.\" Date: 06/22/2007 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "ACCESS.CONF" "5" "06/22/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -access.conf \- the login access control table file -.SH "DESCRIPTION" -.PP -The -\fI/etc/security/access.conf\fR -file specifies (\fIuser/group\fR, -\fIhost\fR), (\fIuser/group\fR, -\fInetwork/netmask\fR) or (\fIuser/group\fR, -\fItty\fR) combinations for which a login will be either accepted or refused. -.PP -When someone logs in, the file -\fIaccess.conf\fR -is scanned for the first entry that matches the (\fIuser/group\fR, -\fIhost\fR) or (\fIuser/group\fR, -\fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser/group\fR, -\fItty\fR) combination. The permissions field of that table entry determines whether the login will be accepted or refused. -.PP -Each line of the login access control table has three fields separated by a ":" character (colon): -.PP - -\fIpermission\fR:\fIusers/groups\fR:\fIorigins\fR -.PP -The first field, the -\fIpermission\fR -field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied. -.PP -The second field, the -\fIusers\fR/\fIgroup\fR -field, should be a list of one or more login names, group names, or -\fIALL\fR -(which always matches). To differentiate user entries from group entries, group entries should be written with brackets, e.g. -\fI(group)\fR. -.PP -The third field, the -\fIorigins\fR -field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "."), host addresses, internet network numbers (end with "."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also), -\fIALL\fR -(which always matches) or -\fILOCAL\fR -(which matches any string that does not contain a "." character). If supported by the system you can use -\fI@netgroupname\fR -in host or user patterns. -.PP -The -\fIEXCEPT\fR -operator makes it possible to write very compact rules. -.PP -If the -\fBnodefgroup\fR -is not set, the group file is searched when a name does not match that of the logged\-in user. Only groups are matched in which users are explicitly listed. However the PAM module does not look at the primary group id of a user. -.PP -The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line. -.SH "EXAMPLES" -.PP -These are some example lines which might be specified in -\fI/etc/security/access.conf\fR. -.PP -User -\fIroot\fR -should be allowed to get access via -\fIcron\fR, X11 terminal -\fI:0\fR, -\fItty1\fR, ..., -\fItty5\fR, -\fItty6\fR. -.PP -+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6 -.PP -User -\fIroot\fR -should be allowed to get access from hosts which own the IPv4 addresses. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too. -.PP -+ : root : 192.168.200.1 192.168.200.4 192.168.200.9 -.PP -+ : root : 127.0.0.1 -.PP -User -\fIroot\fR -should get access from network -192.168.201. -where the term will be evaluated by string matching. But it might be better to use network/netmask instead. The same meaning of -192.168.201. -is -\fI192.168.201.0/24\fR -or -\fI192.168.201.0/255.255.255.0\fR. -.PP -+ : root : 192.168.201. -.PP -User -\fIroot\fR -should be able to have access from hosts -\fIfoo1.bar.org\fR -and -\fIfoo2.bar.org\fR -(uses string matching also). -.PP -+ : root : foo1.bar.org foo2.bar.org -.PP -User -\fIroot\fR -should be able to have access from domain -\fIfoo.bar.org\fR -(uses string matching also). -.PP -+ : root : .foo.bar.org -.PP -User -\fIroot\fR -should be denied to get access from all other sources. -.PP -\- : root : ALL -.PP -User -\fIfoo\fR -and members of netgroup -\fIadmins\fR -should be allowed to get access from all sources. This will only work if netgroup service is available. -.PP -+ : @admins foo : ALL -.PP -User -\fIjohn\fR -and -\fIfoo\fR -should get access from IPv6 host address. -.PP -+ : john foo : 2001:4ca0:0:101::1 -.PP -User -\fIjohn\fR -should get access from IPv6 net/mask. -.PP -+ : john : 2001:4ca0:0:101::/64 -.PP -Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group. -.PP -\-:ALL EXCEPT (wheel) shutdown sync:LOCAL -.PP -All other users should be denied to get access from all sources. -.PP -\- : ALL : ALL -.SH "SEE ALSO" -.PP - -\fBpam_access\fR(8), -\fBpam.d\fR(5), -\fBpam\fR(8) -.SH "AUTHORS" -.PP -Original -\fBlogin.access\fR(5) -manual was provided by Guido van Rooij which was renamed to -\fBaccess.conf\fR(5) -to reflect relation to default config file. -.PP -Network address / netmask description and example text was introduced by Mike Becher <mike.becher@lrz\-muenchen.de>. |