diff options
Diffstat (limited to 'Linux-PAM/modules/pam_access/access.conf')
| -rw-r--r-- | Linux-PAM/modules/pam_access/access.conf | 122 |
1 files changed, 0 insertions, 122 deletions
diff --git a/Linux-PAM/modules/pam_access/access.conf b/Linux-PAM/modules/pam_access/access.conf deleted file mode 100644 index 74c5fbe8..00000000 --- a/Linux-PAM/modules/pam_access/access.conf +++ /dev/null @@ -1,122 +0,0 @@ -# Login access control table. -# -# Comment line must start with "#", no space at front. -# Order of lines is important. -# -# When someone logs in, the table is scanned for the first entry that -# matches the (user, host) combination, or, in case of non-networked -# logins, the first entry that matches the (user, tty) combination. The -# permissions field of that table entry determines whether the login will -# be accepted or refused. -# -# Format of the login access control table is three fields separated by a -# ":" character: -# -# [Note, if you supply a 'fieldsep=|' argument to the pam_access.so -# module, you can change the field separation character to be -# '|'. This is useful for configurations where you are trying to use -# pam_access with X applications that provide PAM_TTY values that are -# the display variable like "host:0".] -# -# permission : users : origins -# -# The first field should be a "+" (access granted) or "-" (access denied) -# character. -# -# The second field should be a list of one or more login names, group -# names, or ALL (always matches). A pattern of the form user@host is -# matched when the login name matches the "user" part, and when the -# "host" part matches the local machine name. -# -# The third field should be a list of one or more tty names (for -# non-networked logins), host names, domain names (begin with "."), host -# addresses, internet network numbers (end with "."), ALL (always -# matches), NONE (matches no tty on non-networked logins) or -# LOCAL (matches any string that does not contain a "." character). -# -# You can use @netgroupname in host or user patterns; this even works -# for @usergroup@@hostgroup patterns. -# -# The EXCEPT operator makes it possible to write very compact rules. -# -# The group file is searched only when a name does not match that of the -# logged-in user. Both the user's primary group is matched, as well as -# groups in which users are explicitly listed. -# To avoid problems with accounts, which have the same name as a group, -# you can use brackets around group names '(group)' to differentiate. -# In this case, you should also set the "nodefgroup" option. -# -# TTY NAMES: Must be in the form returned by ttyname(3) less the initial -# "/dev" (e.g. tty1 or vc/1) -# -############################################################################## -# -# Disallow non-root logins on tty1 -# -#-:ALL EXCEPT root:tty1 -# -# Disallow console logins to all but a few accounts. -# -#-:ALL EXCEPT wheel shutdown sync:LOCAL -# -# Same, but make sure that really the group wheel and not the user -# wheel is used (use nodefgroup argument, too): -# -#-:ALL EXCEPT (wheel) shutdown sync:LOCAL -# -# Disallow non-local logins to privileged accounts (group wheel). -# -#-:wheel:ALL EXCEPT LOCAL .win.tue.nl -# -# Some accounts are not allowed to login from anywhere: -# -#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL -# -# All other accounts are allowed to login from anywhere. -# -############################################################################## -# All lines from here up to the end are building a more complex example. -############################################################################## -# -# User "root" should be allowed to get access via cron .. tty5 tty6. -#+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 -# -# User "root" should be allowed to get access from hosts with ip addresses. -#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9 -#+ : root : 127.0.0.1 -# -# User "root" should get access from network 192.168.201. -# This term will be evaluated by string matching. -# comment: It might be better to use network/netmask instead. -# The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0 -#+ : root : 192.168.201. -# -# User "root" should be able to have access from domain. -# Uses string matching also. -#+ : root : .foo.bar.org -# -# User "root" should be denied to get access from all other sources. -#- : root : ALL -# -# User "foo" and members of netgroup "nis_group" should be -# allowed to get access from all sources. -# This will only work if netgroup service is available. -#+ : @nis_group foo : ALL -# -# User "john" should get access from ipv4 net/mask -#+ : john : 127.0.0.0/24 -# -# User "john" should get access from ipv4 as ipv6 net/mask -#+ : john : ::ffff:127.0.0.0/127 -# -# User "john" should get access from ipv6 host address -#+ : john : 2001:4ca0:0:101::1 -# -# User "john" should get access from ipv6 host address (same as above) -#+ : john : 2001:4ca0:0:101:0:0:0:1 -# -# User "john" should get access from ipv6 net/mask -#+ : john : 2001:4ca0:0:101::/64 -# -# All other users should be denied to get access from all sources. -#- : ALL : ALL |