diff options
Diffstat (limited to 'Linux-PAM/modules/pam_access/access.conf.5')
| -rw-r--r-- | Linux-PAM/modules/pam_access/access.conf.5 | 163 |
1 files changed, 163 insertions, 0 deletions
diff --git a/Linux-PAM/modules/pam_access/access.conf.5 b/Linux-PAM/modules/pam_access/access.conf.5 new file mode 100644 index 00000000..43cc4fce --- /dev/null +++ b/Linux-PAM/modules/pam_access/access.conf.5 @@ -0,0 +1,163 @@ +.\" Title: access.conf +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> +.\" Date: 06/21/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "ACCESS.CONF" "5" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +access.conf \- the login access control table file +.SH "DESCRIPTION" +.PP +The +\fI/etc/security/access.conf\fR +file specifies (\fIuser\fR, +\fIhost\fR), (\fIuser\fR, +\fInetwork/netmask\fR) or (\fIuser\fR, +\fItty\fR) combinations for which a login will be either accepted or refused. +.PP +When someone logs in, the file +\fIaccess.conf\fR +is scanned for the first entry that matches the (\fIuser\fR, +\fIhost\fR) or (\fIuser\fR, +\fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser\fR, +\fItty\fR) combination. The permissions field of that table entry determines whether the login will be accepted or refused. +.PP +Each line of the login access control table has three fields separated by a ":" character (colon): +.PP + +\fIpermission\fR:\fIusers\fR:\fIorigins\fR +.PP +The first field, the +\fIpermission\fR +field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied. +.PP +The second field, the +\fIusers\fR +field, should be a list of one or more login names, group names, or +\fIALL\fR +(which always matches). +.PP +The third field, the +\fIorigins\fR +field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "."), host addresses, internet network numbers (end with "."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also), +\fIALL\fR +(which always matches) or +\fILOCAL\fR +(which matches any string that does not contain a "." character). If supported by the system you can use +\fI@netgroupname\fR +in host or user patterns. +.PP +The +\fIexcept\fR +operator makes it possible to write very compact rules. +.PP +The group file is searched only when a name does not match that of the logged\-in user. Only groups are matched in which users are explicitly listed. However the PAM module does not look at the primary group id of a user. +.PP +The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line. +.SH "EXAMPLES" +.PP +These are some example lines which might be specified in +\fI/etc/security/access.conf\fR. +.PP +User +\fIroot\fR +should be allowed to get access via +\fIcron\fR, X11 terminal +\fI:0\fR, +\fItty1\fR, ..., +\fItty5\fR, +\fItty6\fR. +.PP ++ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6 +.PP +User +\fIroot\fR +should be allowed to get access from hosts which own the IPv4 addresses. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too. +.PP ++ : root : 192.168.200.1 192.168.200.4 192.168.200.9 +.PP ++ : root : 127.0.0.1 +.PP +User +\fIroot\fR +should get access from network +192.168.201. +where the term will be evaluated by string matching. But it might be better to use network/netmask instead. The same meaning of +192.168.201. +is +\fI192.168.201.0/24\fR +or +\fI192.168.201.0/255.255.255.0\fR. +.PP ++ : root : 192.168.201. +.PP +User +\fIroot\fR +should be able to have access from hosts +\fIfoo1.bar.org\fR +and +\fIfoo2.bar.org\fR +(uses string matching also). +.PP ++ : root : foo1.bar.org foo2.bar.org +.PP +User +\fIroot\fR +should be able to have access from domain +\fIfoo.bar.org\fR +(uses string matching also). +.PP ++ : root : .foo.bar.org +.PP +User +\fIroot\fR +should be denied to get access from all other sources. +.PP +\- : root : ALL +.PP +User +\fIfoo\fR +and members of netgroup +\fIadmins\fR +should be allowed to get access from all sources. This will only work if netgroup service is available. +.PP ++ : @admins foo : ALL +.PP +User +\fIjohn\fR +and +\fIfoo\fR +should get access from IPv6 host address. +.PP ++ : john foo : 2001:4ca0:0:101::1 +.PP +User +\fIjohn\fR +should get access from IPv6 net/mask. +.PP ++ : john : 2001:4ca0:0:101::/64 +.PP +All other users should be denied to get access from all sources. +.PP +\- : ALL : ALL +.SH "SEE ALSO" +.PP + +\fBpam_access\fR(8), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHORS" +.PP +Original +\fBlogin.access\fR(5) +manual was provided by Guido van Rooij which was renamed to +\fBaccess.conf\fR(5) +to reflect relation to default config file. +.PP +Network address / netmask description and example text was introduced by Mike Becher <mike.becher@lrz\-muenchen.de>. |