diff options
Diffstat (limited to 'Linux-PAM/modules/pam_access/access.conf.5')
| -rw-r--r-- | Linux-PAM/modules/pam_access/access.conf.5 | 170 |
1 files changed, 0 insertions, 170 deletions
diff --git a/Linux-PAM/modules/pam_access/access.conf.5 b/Linux-PAM/modules/pam_access/access.conf.5 deleted file mode 100644 index 9b8fb70b..00000000 --- a/Linux-PAM/modules/pam_access/access.conf.5 +++ /dev/null @@ -1,170 +0,0 @@ -.\" Title: access.conf -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/> -.\" Date: 01/08/2008 -.\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual -.\" -.TH "ACCESS\.CONF" "5" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -access.conf - the login access control table file -.SH "DESCRIPTION" -.PP -The -\fI/etc/security/access\.conf\fR -file specifies (\fIuser/group\fR, -\fIhost\fR), (\fIuser/group\fR, -\fInetwork/netmask\fR) or (\fIuser/group\fR, -\fItty\fR) combinations for which a login will be either accepted or refused\. -.PP -When someone logs in, the file -\fIaccess\.conf\fR -is scanned for the first entry that matches the (\fIuser/group\fR, -\fIhost\fR) or (\fIuser/group\fR, -\fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser/group\fR, -\fItty\fR) combination\. The permissions field of that table entry determines whether the login will be accepted or refused\. -.PP -Each line of the login access control table has three fields separated by a ":" character (colon): -.PP - -\fIpermission\fR:\fIusers/groups\fR:\fIorigins\fR -.PP -The first field, the -\fIpermission\fR -field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied\. -.PP -The second field, the -\fIusers\fR/\fIgroup\fR -field, should be a list of one or more login names, group names, or -\fIALL\fR -(which always matches)\. To differentiate user entries from group entries, group entries should be written with brackets, e\.g\. -\fI(group)\fR\. -.PP -The third field, the -\fIorigins\fR -field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "\."), host addresses, internet network numbers (end with "\."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also), -\fIALL\fR -(which always matches) or -\fILOCAL\fR -(which matches any string that does not contain a "\." character)\. If supported by the system you can use -\fI@netgroupname\fR -in host or user patterns\. -.PP -The -\fIEXCEPT\fR -operator makes it possible to write very compact rules\. -.PP -If the -\fBnodefgroup\fR -is not set, the group file is searched when a name does not match that of the logged\-in user\. Only groups are matched in which users are explicitly listed\. However the PAM module does not look at the primary group id of a user\. -.PP -The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line\. -.SH "EXAMPLES" -.PP -These are some example lines which might be specified in -\fI/etc/security/access\.conf\fR\. -.PP -User -\fIroot\fR -should be allowed to get access via -\fIcron\fR, X11 terminal -\fI:0\fR, -\fItty1\fR, \.\.\., -\fItty5\fR, -\fItty6\fR\. -.PP -+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6 -.PP -User -\fIroot\fR -should be allowed to get access from hosts which own the IPv4 addresses\. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too\. -.PP -+ : root : 192\.168\.200\.1 192\.168\.200\.4 192\.168\.200\.9 -.PP -+ : root : 127\.0\.0\.1 -.PP -User -\fIroot\fR -should get access from network -192\.168\.201\. -where the term will be evaluated by string matching\. But it might be better to use network/netmask instead\. The same meaning of -192\.168\.201\. -is -\fI192\.168\.201\.0/24\fR -or -\fI192\.168\.201\.0/255\.255\.255\.0\fR\. -.PP -+ : root : 192\.168\.201\. -.PP -User -\fIroot\fR -should be able to have access from hosts -\fIfoo1\.bar\.org\fR -and -\fIfoo2\.bar\.org\fR -(uses string matching also)\. -.PP -+ : root : foo1\.bar\.org foo2\.bar\.org -.PP -User -\fIroot\fR -should be able to have access from domain -\fIfoo\.bar\.org\fR -(uses string matching also)\. -.PP -+ : root : \.foo\.bar\.org -.PP -User -\fIroot\fR -should be denied to get access from all other sources\. -.PP -\- : root : ALL -.PP -User -\fIfoo\fR -and members of netgroup -\fIadmins\fR -should be allowed to get access from all sources\. This will only work if netgroup service is available\. -.PP -+ : @admins foo : ALL -.PP -User -\fIjohn\fR -and -\fIfoo\fR -should get access from IPv6 host address\. -.PP -+ : john foo : 2001:4ca0:0:101::1 -.PP -User -\fIjohn\fR -should get access from IPv6 net/mask\. -.PP -+ : john : 2001:4ca0:0:101::/64 -.PP -Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group\. -.PP -\-:ALL EXCEPT (wheel) shutdown sync:LOCAL -.PP -All other users should be denied to get access from all sources\. -.PP -\- : ALL : ALL -.SH "SEE ALSO" -.PP - -\fBpam_access\fR(8), -\fBpam.d\fR(5), -\fBpam\fR(8) -.SH "AUTHORS" -.PP -Original -\fBlogin.access\fR(5) -manual was provided by Guido van Rooij which was renamed to -\fBaccess.conf\fR(5) -to reflect relation to default config file\. -.PP -Network address / netmask description and example text was introduced by Mike Becher <mike\.becher@lrz\-muenchen\.de>\. |