diff options
Diffstat (limited to 'modules/pam_access/access.conf.5')
-rw-r--r-- | modules/pam_access/access.conf.5 | 258 |
1 files changed, 210 insertions, 48 deletions
diff --git a/modules/pam_access/access.conf.5 b/modules/pam_access/access.conf.5 index 4221ccfc..5521944f 100644 --- a/modules/pam_access/access.conf.5 +++ b/modules/pam_access/access.conf.5 @@ -1,32 +1,188 @@ .\" Title: access.conf -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/> -.\" Date: 04/16/2008 +.\" Author: [see the "AUTHORS" section] +.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/> +.\" Date: 03/02/2009 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual +.\" Language: English .\" -.TH "ACCESS\.CONF" "5" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "ACCESS\&.CONF" "5" "03/02/2009" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * (re)Define some macros +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" toupper - uppercase a string (locale-aware) +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de toupper +.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ +\\$* +.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" SH-xref - format a cross-reference to an SH section +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de SH-xref +.ie n \{\ +.\} +.toupper \\$* +.el \{\ +\\$* +.\} +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" SH - level-one heading that works better for non-TTY output +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de1 SH +.\" put an extra blank line of space above the head in non-TTY output +.if t \{\ +.sp 1 +.\} +.sp \\n[PD]u +.nr an-level 1 +.set-an-margin +.nr an-prevailing-indent \\n[IN] +.fi +.in \\n[an-margin]u +.ti 0 +.HTML-TAG ".NH \\n[an-level]" +.it 1 an-trap +.nr an-no-space-flag 1 +.nr an-break-flag 1 +\." make the size of the head bigger +.ps +3 +.ft B +.ne (2v + 1u) +.ie n \{\ +.\" if n (TTY output), use uppercase +.toupper \\$* +.\} +.el \{\ +.nr an-break-flag 0 +.\" if not n (not TTY), use normal case (not uppercase) +\\$1 +.in \\n[an-margin]u +.ti 0 +.\" if not n (not TTY), put a border/line under subheading +.sp -.6 +\l'\n(.lu' +.\} +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" SS - level-two heading that works better for non-TTY output +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de1 SS +.sp \\n[PD]u +.nr an-level 1 +.set-an-margin +.nr an-prevailing-indent \\n[IN] +.fi +.in \\n[IN]u +.ti \\n[SN]u +.it 1 an-trap +.nr an-no-space-flag 1 +.nr an-break-flag 1 +.ps \\n[PS-SS]u +\." make the size of the head bigger +.ps +2 +.ft B +.ne (2v + 1u) +.if \\n[.$] \&\\$* +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" BB/BE - put background/screen (filled box) around block of text +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de BB +.if t \{\ +.sp -.5 +.br +.in +2n +.ll -2n +.gcolor red +.di BX +.\} +.. +.de EB +.if t \{\ +.if "\\$2"adjust-for-leading-newline" \{\ +.sp -1 +.\} +.br +.di +.in +.ll +.gcolor +.nr BW \\n(.lu-\\n(.i +.nr BH \\n(dn+.5v +.ne \\n(BHu+.5v +.ie "\\$2"adjust-for-leading-newline" \{\ +\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] +.\} +.el \{\ +\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] +.\} +.in 0 +.sp -.5v +.nf +.BX +.in +.sp .5v +.fi +.\} +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" BM/EM - put colored marker in margin next to block of text +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de BM +.if t \{\ +.br +.ll -2n +.gcolor red +.di BX +.\} +.. +.de EM +.if t \{\ +.br +.di +.ll +.gcolor +.nr BH \\n(dn +.ne \\n(BHu +\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] +.in 0 +.nf +.BX +.in +.fi +.\} +.. +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l -.SH "NAME" -access.conf - the login access control table file +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "Name" +access.conf \- the login access control table file .SH "DESCRIPTION" .PP The -\fI/etc/security/access\.conf\fR +\FC/etc/security/access\&.conf\F[] file specifies (\fIuser/group\fR, \fIhost\fR), (\fIuser/group\fR, \fInetwork/netmask\fR) or (\fIuser/group\fR, -\fItty\fR) combinations for which a login will be either accepted or refused\. +\fItty\fR) combinations for which a login will be either accepted or refused\&. .PP When someone logs in, the file -\fIaccess\.conf\fR +\FCaccess\&.conf\F[] is scanned for the first entry that matches the (\fIuser/group\fR, \fIhost\fR) or (\fIuser/group\fR, \fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser/group\fR, -\fItty\fR) combination\. The permissions field of that table entry determines whether the login will be accepted or refused\. +\fItty\fR) combination\&. The permissions field of that table entry determines whether the login will be accepted or refused\&. .PP Each line of the login access control table has three fields separated by a ":" character (colon): .PP @@ -35,92 +191,98 @@ Each line of the login access control table has three fields separated by a ":" .PP The first field, the \fIpermission\fR -field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied\. +field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied\&. .PP The second field, the \fIusers\fR/\fIgroup\fR field, should be a list of one or more login names, group names, or \fIALL\fR -(which always matches)\. To differentiate user entries from group entries, group entries should be written with brackets, e\.g\. -\fI(group)\fR\. +(which always matches)\&. To differentiate user entries from group entries, group entries should be written with brackets, e\&.g\&. +\fI(group)\fR\&. .PP The third field, the \fIorigins\fR -field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "\."), host addresses, internet network numbers (end with "\."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also), +field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "\&."), host addresses, internet network numbers (end with "\&."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also), \fIALL\fR (which always matches) or +\fILOCAL\fR\&. \fILOCAL\fR -(which matches any string that does not contain a "\." character)\. If supported by the system you can use +keyword matches if and only if the +\fIPAM_RHOST\fR +is not set and <origin> field is thus set from +\fIPAM_TTY\fR +or +\fIPAM_SERVICE\fR"\&. If supported by the system you can use \fI@netgroupname\fR -in host or user patterns\. +in host or user patterns\&. .PP The \fIEXCEPT\fR -operator makes it possible to write very compact rules\. +operator makes it possible to write very compact rules\&. .PP If the \fBnodefgroup\fR -is not set, the group file is searched when a name does not match that of the logged\-in user\. Only groups are matched in which users are explicitly listed\. However the PAM module does not look at the primary group id of a user\. +is not set, the group file is searched when a name does not match that of the logged\-in user\&. Only groups are matched in which users are explicitly listed\&. However the PAM module does not look at the primary group id of a user\&. .PP -The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line\. +The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line\&. .SH "EXAMPLES" .PP These are some example lines which might be specified in -\fI/etc/security/access\.conf\fR\. +\FC/etc/security/access\&.conf\F[]\&. .PP User \fIroot\fR should be allowed to get access via \fIcron\fR, X11 terminal \fI:0\fR, -\fItty1\fR, \.\.\., +\fItty1\fR, \&.\&.\&., \fItty5\fR, -\fItty6\fR\. +\fItty6\fR\&. .PP + : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6 .PP User \fIroot\fR -should be allowed to get access from hosts which own the IPv4 addresses\. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too\. +should be allowed to get access from hosts which own the IPv4 addresses\&. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too\&. .PP -+ : root : 192\.168\.200\.1 192\.168\.200\.4 192\.168\.200\.9 ++ : root : 192\&.168\&.200\&.1 192\&.168\&.200\&.4 192\&.168\&.200\&.9 .PP -+ : root : 127\.0\.0\.1 ++ : root : 127\&.0\&.0\&.1 .PP User \fIroot\fR should get access from network -192\.168\.201\. -where the term will be evaluated by string matching\. But it might be better to use network/netmask instead\. The same meaning of -192\.168\.201\. +\FC192\&.168\&.201\&.\F[] +where the term will be evaluated by string matching\&. But it might be better to use network/netmask instead\&. The same meaning of +\FC192\&.168\&.201\&.\F[] is -\fI192\.168\.201\.0/24\fR +\fI192\&.168\&.201\&.0/24\fR or -\fI192\.168\.201\.0/255\.255\.255\.0\fR\. +\fI192\&.168\&.201\&.0/255\&.255\&.255\&.0\fR\&. .PP -+ : root : 192\.168\.201\. ++ : root : 192\&.168\&.201\&. .PP User \fIroot\fR should be able to have access from hosts -\fIfoo1\.bar\.org\fR +\fIfoo1\&.bar\&.org\fR and -\fIfoo2\.bar\.org\fR -(uses string matching also)\. +\fIfoo2\&.bar\&.org\fR +(uses string matching also)\&. .PP -+ : root : foo1\.bar\.org foo2\.bar\.org ++ : root : foo1\&.bar\&.org foo2\&.bar\&.org .PP User \fIroot\fR should be able to have access from domain -\fIfoo\.bar\.org\fR -(uses string matching also)\. +\fIfoo\&.bar\&.org\fR +(uses string matching also)\&. .PP -+ : root : \.foo\.bar\.org ++ : root : \&.foo\&.bar\&.org .PP User \fIroot\fR -should be denied to get access from all other sources\. +should be denied to get access from all other sources\&. .PP \- : root : ALL .PP @@ -128,7 +290,7 @@ User \fIfoo\fR and members of netgroup \fIadmins\fR -should be allowed to get access from all sources\. This will only work if netgroup service is available\. +should be allowed to get access from all sources\&. This will only work if netgroup service is available\&. .PP + : @admins foo : ALL .PP @@ -136,21 +298,21 @@ User \fIjohn\fR and \fIfoo\fR -should get access from IPv6 host address\. +should get access from IPv6 host address\&. .PP -+ : john foo : 2001:4ca0:0:101::1 ++ : john foo : 2001:db8:0:101::1 .PP User \fIjohn\fR -should get access from IPv6 net/mask\. +should get access from IPv6 net/mask\&. .PP -+ : john : 2001:4ca0:0:101::/64 ++ : john : 2001:db8:0:101::/64 .PP -Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group\. +Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group\&. .PP \-:ALL EXCEPT (wheel) shutdown sync:LOCAL .PP -All other users should be denied to get access from all sources\. +All other users should be denied to get access from all sources\&. .PP \- : ALL : ALL .SH "SEE ALSO" @@ -165,6 +327,6 @@ Original \fBlogin.access\fR(5) manual was provided by Guido van Rooij which was renamed to \fBaccess.conf\fR(5) -to reflect relation to default config file\. +to reflect relation to default config file\&. .PP -Network address / netmask description and example text was introduced by Mike Becher <mike\.becher@lrz\-muenchen\.de>\. +Network address / netmask description and example text was introduced by Mike Becher <mike\&.becher@lrz\-muenchen\&.de>\&. |