From 641dfd1084508c63f3590e93a35b80ffc50774e5 Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Fri, 18 Oct 2024 10:27:07 +0200 Subject: pam_access: clarify `LOCAL` keyword behaviour * modules/pam_access/access.conf.5.xml: `LOCAL` keyword behaviour explanation was focused on the development internals. Let's clarify it by rephrasing it to something a sysadmin can understand. Resolves: https://issues.redhat.com/browse/RHEL-39943 Signed-off-by: Iker Pedrosa --- modules/pam_access/access.conf.5.xml | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml index 35a1a8fe..0b93db00 100644 --- a/modules/pam_access/access.conf.5.xml +++ b/modules/pam_access/access.conf.5.xml @@ -79,17 +79,12 @@ with network mask (where network mask can be a decimal number or an internet address also), ALL (which always matches) or LOCAL. The LOCAL - keyword matches if and only if - pam_get_item3, - when called with an item_type of - PAM_RHOST, returns NULL or an - empty string (and therefore the - origins field is compared against the - return value of - pam_get_item3 - called with an item_type of - PAM_TTY or, absent that, - PAM_SERVICE). + keyword matches when the user connects without a network + connection (e.g., su, + login). A connection through the loopback + device (e.g., ssh user@localhost) is + considered a network connection, and thus, the + LOCAL keyword does not match. -- cgit v1.2.3