summaryrefslogtreecommitdiff
path: root/modules/pam_access/access.conf.5
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_access/access.conf.5')
-rw-r--r--modules/pam_access/access.conf.5258
1 files changed, 210 insertions, 48 deletions
diff --git a/modules/pam_access/access.conf.5 b/modules/pam_access/access.conf.5
index 4221ccfc..5521944f 100644
--- a/modules/pam_access/access.conf.5
+++ b/modules/pam_access/access.conf.5
@@ -1,32 +1,188 @@
.\" Title: access.conf
-.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
-.\" Date: 04/16/2008
+.\" Author: [see the "AUTHORS" section]
+.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+.\" Date: 03/02/2009
.\" Manual: Linux-PAM Manual
.\" Source: Linux-PAM Manual
+.\" Language: English
.\"
-.TH "ACCESS\.CONF" "5" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
+.TH "ACCESS\&.CONF" "5" "03/02/2009" "Linux-PAM Manual" "Linux\-PAM Manual"
+.\" -----------------------------------------------------------------
+.\" * (re)Define some macros
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" toupper - uppercase a string (locale-aware)
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de toupper
+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+\\$*
+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" SH-xref - format a cross-reference to an SH section
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de SH-xref
+.ie n \{\
+.\}
+.toupper \\$*
+.el \{\
+\\$*
+.\}
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" SH - level-one heading that works better for non-TTY output
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de1 SH
+.\" put an extra blank line of space above the head in non-TTY output
+.if t \{\
+.sp 1
+.\}
+.sp \\n[PD]u
+.nr an-level 1
+.set-an-margin
+.nr an-prevailing-indent \\n[IN]
+.fi
+.in \\n[an-margin]u
+.ti 0
+.HTML-TAG ".NH \\n[an-level]"
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+\." make the size of the head bigger
+.ps +3
+.ft B
+.ne (2v + 1u)
+.ie n \{\
+.\" if n (TTY output), use uppercase
+.toupper \\$*
+.\}
+.el \{\
+.nr an-break-flag 0
+.\" if not n (not TTY), use normal case (not uppercase)
+\\$1
+.in \\n[an-margin]u
+.ti 0
+.\" if not n (not TTY), put a border/line under subheading
+.sp -.6
+\l'\n(.lu'
+.\}
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" SS - level-two heading that works better for non-TTY output
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de1 SS
+.sp \\n[PD]u
+.nr an-level 1
+.set-an-margin
+.nr an-prevailing-indent \\n[IN]
+.fi
+.in \\n[IN]u
+.ti \\n[SN]u
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.ps \\n[PS-SS]u
+\." make the size of the head bigger
+.ps +2
+.ft B
+.ne (2v + 1u)
+.if \\n[.$] \&\\$*
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" BB/BE - put background/screen (filled box) around block of text
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de BB
+.if t \{\
+.sp -.5
+.br
+.in +2n
+.ll -2n
+.gcolor red
+.di BX
+.\}
+..
+.de EB
+.if t \{\
+.if "\\$2"adjust-for-leading-newline" \{\
+.sp -1
+.\}
+.br
+.di
+.in
+.ll
+.gcolor
+.nr BW \\n(.lu-\\n(.i
+.nr BH \\n(dn+.5v
+.ne \\n(BHu+.5v
+.ie "\\$2"adjust-for-leading-newline" \{\
+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+.\}
+.el \{\
+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+.\}
+.in 0
+.sp -.5v
+.nf
+.BX
+.in
+.sp .5v
+.fi
+.\}
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" BM/EM - put colored marker in margin next to block of text
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de BM
+.if t \{\
+.br
+.ll -2n
+.gcolor red
+.di BX
+.\}
+..
+.de EM
+.if t \{\
+.br
+.di
+.ll
+.gcolor
+.nr BH \\n(dn
+.ne \\n(BHu
+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+.in 0
+.nf
+.BX
+.in
+.fi
+.\}
+..
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
-.SH "NAME"
-access.conf - the login access control table file
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "Name"
+access.conf \- the login access control table file
.SH "DESCRIPTION"
.PP
The
-\fI/etc/security/access\.conf\fR
+\FC/etc/security/access\&.conf\F[]
file specifies (\fIuser/group\fR,
\fIhost\fR), (\fIuser/group\fR,
\fInetwork/netmask\fR) or (\fIuser/group\fR,
-\fItty\fR) combinations for which a login will be either accepted or refused\.
+\fItty\fR) combinations for which a login will be either accepted or refused\&.
.PP
When someone logs in, the file
-\fIaccess\.conf\fR
+\FCaccess\&.conf\F[]
is scanned for the first entry that matches the (\fIuser/group\fR,
\fIhost\fR) or (\fIuser/group\fR,
\fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser/group\fR,
-\fItty\fR) combination\. The permissions field of that table entry determines whether the login will be accepted or refused\.
+\fItty\fR) combination\&. The permissions field of that table entry determines whether the login will be accepted or refused\&.
.PP
Each line of the login access control table has three fields separated by a ":" character (colon):
.PP
@@ -35,92 +191,98 @@ Each line of the login access control table has three fields separated by a ":"
.PP
The first field, the
\fIpermission\fR
-field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied\.
+field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied\&.
.PP
The second field, the
\fIusers\fR/\fIgroup\fR
field, should be a list of one or more login names, group names, or
\fIALL\fR
-(which always matches)\. To differentiate user entries from group entries, group entries should be written with brackets, e\.g\.
-\fI(group)\fR\.
+(which always matches)\&. To differentiate user entries from group entries, group entries should be written with brackets, e\&.g\&.
+\fI(group)\fR\&.
.PP
The third field, the
\fIorigins\fR
-field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "\."), host addresses, internet network numbers (end with "\."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also),
+field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "\&."), host addresses, internet network numbers (end with "\&."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also),
\fIALL\fR
(which always matches) or
+\fILOCAL\fR\&.
\fILOCAL\fR
-(which matches any string that does not contain a "\." character)\. If supported by the system you can use
+keyword matches if and only if the
+\fIPAM_RHOST\fR
+is not set and <origin> field is thus set from
+\fIPAM_TTY\fR
+or
+\fIPAM_SERVICE\fR"\&. If supported by the system you can use
\fI@netgroupname\fR
-in host or user patterns\.
+in host or user patterns\&.
.PP
The
\fIEXCEPT\fR
-operator makes it possible to write very compact rules\.
+operator makes it possible to write very compact rules\&.
.PP
If the
\fBnodefgroup\fR
-is not set, the group file is searched when a name does not match that of the logged\-in user\. Only groups are matched in which users are explicitly listed\. However the PAM module does not look at the primary group id of a user\.
+is not set, the group file is searched when a name does not match that of the logged\-in user\&. Only groups are matched in which users are explicitly listed\&. However the PAM module does not look at the primary group id of a user\&.
.PP
-The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line\.
+The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line\&.
.SH "EXAMPLES"
.PP
These are some example lines which might be specified in
-\fI/etc/security/access\.conf\fR\.
+\FC/etc/security/access\&.conf\F[]\&.
.PP
User
\fIroot\fR
should be allowed to get access via
\fIcron\fR, X11 terminal
\fI:0\fR,
-\fItty1\fR, \.\.\.,
+\fItty1\fR, \&.\&.\&.,
\fItty5\fR,
-\fItty6\fR\.
+\fItty6\fR\&.
.PP
+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6
.PP
User
\fIroot\fR
-should be allowed to get access from hosts which own the IPv4 addresses\. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too\.
+should be allowed to get access from hosts which own the IPv4 addresses\&. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too\&.
.PP
-+ : root : 192\.168\.200\.1 192\.168\.200\.4 192\.168\.200\.9
++ : root : 192\&.168\&.200\&.1 192\&.168\&.200\&.4 192\&.168\&.200\&.9
.PP
-+ : root : 127\.0\.0\.1
++ : root : 127\&.0\&.0\&.1
.PP
User
\fIroot\fR
should get access from network
-192\.168\.201\.
-where the term will be evaluated by string matching\. But it might be better to use network/netmask instead\. The same meaning of
-192\.168\.201\.
+\FC192\&.168\&.201\&.\F[]
+where the term will be evaluated by string matching\&. But it might be better to use network/netmask instead\&. The same meaning of
+\FC192\&.168\&.201\&.\F[]
is
-\fI192\.168\.201\.0/24\fR
+\fI192\&.168\&.201\&.0/24\fR
or
-\fI192\.168\.201\.0/255\.255\.255\.0\fR\.
+\fI192\&.168\&.201\&.0/255\&.255\&.255\&.0\fR\&.
.PP
-+ : root : 192\.168\.201\.
++ : root : 192\&.168\&.201\&.
.PP
User
\fIroot\fR
should be able to have access from hosts
-\fIfoo1\.bar\.org\fR
+\fIfoo1\&.bar\&.org\fR
and
-\fIfoo2\.bar\.org\fR
-(uses string matching also)\.
+\fIfoo2\&.bar\&.org\fR
+(uses string matching also)\&.
.PP
-+ : root : foo1\.bar\.org foo2\.bar\.org
++ : root : foo1\&.bar\&.org foo2\&.bar\&.org
.PP
User
\fIroot\fR
should be able to have access from domain
-\fIfoo\.bar\.org\fR
-(uses string matching also)\.
+\fIfoo\&.bar\&.org\fR
+(uses string matching also)\&.
.PP
-+ : root : \.foo\.bar\.org
++ : root : \&.foo\&.bar\&.org
.PP
User
\fIroot\fR
-should be denied to get access from all other sources\.
+should be denied to get access from all other sources\&.
.PP
\- : root : ALL
.PP
@@ -128,7 +290,7 @@ User
\fIfoo\fR
and members of netgroup
\fIadmins\fR
-should be allowed to get access from all sources\. This will only work if netgroup service is available\.
+should be allowed to get access from all sources\&. This will only work if netgroup service is available\&.
.PP
+ : @admins foo : ALL
.PP
@@ -136,21 +298,21 @@ User
\fIjohn\fR
and
\fIfoo\fR
-should get access from IPv6 host address\.
+should get access from IPv6 host address\&.
.PP
-+ : john foo : 2001:4ca0:0:101::1
++ : john foo : 2001:db8:0:101::1
.PP
User
\fIjohn\fR
-should get access from IPv6 net/mask\.
+should get access from IPv6 net/mask\&.
.PP
-+ : john : 2001:4ca0:0:101::/64
++ : john : 2001:db8:0:101::/64
.PP
-Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group\.
+Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group\&.
.PP
\-:ALL EXCEPT (wheel) shutdown sync:LOCAL
.PP
-All other users should be denied to get access from all sources\.
+All other users should be denied to get access from all sources\&.
.PP
\- : ALL : ALL
.SH "SEE ALSO"
@@ -165,6 +327,6 @@ Original
\fBlogin.access\fR(5)
manual was provided by Guido van Rooij which was renamed to
\fBaccess.conf\fR(5)
-to reflect relation to default config file\.
+to reflect relation to default config file\&.
.PP
-Network address / netmask description and example text was introduced by Mike Becher <mike\.becher@lrz\-muenchen\.de>\.
+Network address / netmask description and example text was introduced by Mike Becher <mike\&.becher@lrz\-muenchen\&.de>\&.
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-18 08:38:49 +0000