diff options
| author | Thorsten Kukuk <kukuk@thkukuk.de> | 2006-02-07 07:51:13 +0000 |
|---|---|---|
| committer | Thorsten Kukuk <kukuk@thkukuk.de> | 2006-02-07 07:51:13 +0000 |
| commit | 8fa87c2931a1f25e4d2a851385b18759f7e6fde9 (patch) | |
| tree | 66831670c2c8efff5964fc2f238f498d0c6cbf38 /modules/pam_access/access.conf | |
| parent | 22e4ed7f49e0f7db1e29b15923d54a7798a1a2aa (diff) | |
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2006-02-07 Thorsten Kukuk <kukuk@thkukuk.de>
* configure.in: Check for text browser.
* Make.xml.rules: Add rule to generate README from README.xml.
* modules/pam_access/Makefile.am: Include Make.xml.rules.
* modules/pam_access/README: Regenerated from README.xml.
* modules/pam_access/README.xml: New.
* modules/pam_access/access.conf: Extended by new examples.
* modules/pam_access/access.conf.5: New, generated from xml file.
* modules/pam_access/access.conf.5.xml: New.
* modules/pam_access/pam_access.8: New, generated from xml file.
* modules/pam_access/pam_access.8.xml: New.
* modules/pam_access/pam_access.c: Add rules for IPv6 and
netmasks.
Based on patch from Mike Becher <Mike.Becher@lrz-muenchen.de>.
* modules/pam_deny/Makefile.am: Include Make.xml.rules.
* modules/pam_deny/pam_deny.8.xml: New.
* modules/pam_deny/pam_deny.8: New, generated from xml file.
* modules/pam_deny/README.xml: New.
* modules/pam_deny/README: Regenerated from xml file.
* modules/pam_cracklib/Makefile.am: Include Make.xml.rules.
* modules/pam_cracklib/pam_cracklib.8.xml: New.
* modules/pam_cracklib/pam_cracklib.8: New, generated from xml file.
* modules/pam_cracklib/README.xml: New.
* modules/pam_cracklib/README: Regenerated from xml file.
* modules/pam_exec/Makefile.am: Add rule to generate README.
* modules/pam_exec/README: Regenerated from xml file.
* modules/pam_exec/pam_exec.8: Regenerated from xml file.
* modules/pam_exec/pam_exec.8.xml: Syntax files.
Diffstat (limited to 'modules/pam_access/access.conf')
| -rw-r--r-- | modules/pam_access/access.conf | 53 |
1 files changed, 51 insertions, 2 deletions
diff --git a/modules/pam_access/access.conf b/modules/pam_access/access.conf index 98da5faa..b22f1d43 100644 --- a/modules/pam_access/access.conf +++ b/modules/pam_access/access.conf @@ -1,5 +1,8 @@ # Login access control table. # +# Comment line must start with "#", no space at front. +# Order of lines is important. +# # When someone logs in, the table is scanned for the first entry that # matches the (user, host) combination, or, in case of non-networked # logins, the first entry that matches the (user, tty) combination. The @@ -31,8 +34,8 @@ # matches), NONE (matches no tty on non-networked logins) or # LOCAL (matches any string that does not contain a "." character). # -# If you run NIS you can use @netgroupname in host or user patterns; this -# even works for @usergroup@@hostgroup patterns. Weird. +# You can use @netgroupname in host or user patterns; this even works +# for @usergroup@@hostgroup patterns. # # The EXCEPT operator makes it possible to write very compact rules. # @@ -63,3 +66,49 @@ # # All other accounts are allowed to login from anywhere. # +############################################################################## +# All lines from here up to the end are building a more complex example. +############################################################################## +# +# User "root" should be allowed to get access via cron .. tty5 tty6. +#+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 +# +# User "root" should be allowed to get access from hosts with ip addresses. +#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9 +#+ : root : 127.0.0.1 +# +# User "root" should get access from network 192.168.201. +# This term will be evaluated by string matching. +# comment: It might be better to use network/netmask instead. +# The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0 +#+ : root : 192.168.201. +# +# User "root" should be able to have access from domain. +# Uses string matching also. +#+ : root : .foo.bar.org +# +# User "root" should be denied to get access from all other sources. +#- : root : ALL +# +# User "foo" and members of netgroup "nis_group" should be +# allowed to get access from all sources. +# This will only work if netgroup service is available. +#+ : @nis_group foo : ALL +# +# User "john" should get access from ipv4 net/mask +#+ : john : 127.0.0.0/24 +# +# User "john" should get access from ipv4 as ipv6 net/mask +#+ : john : ::ffff:127.0.0.0/127 +# +# User "john" should get access from ipv6 host address +#+ : john : 2001:4ca0:0:101::1 +# +# User "john" should get access from ipv6 host address (same as above) +#+ : john : 2001:4ca0:0:101:0:0:0:1 +# +# User "john" should get access from ipv6 net/mask +#+ : john : 2001:4ca0:0:101::/64 +# +# All other users should be denied to get access from all sources. +#- : ALL : ALL |