summaryrefslogtreecommitdiff
path: root/modules/pam_access/access.conf.5
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_access/access.conf.5')
-rw-r--r--modules/pam_access/access.conf.5170
1 files changed, 170 insertions, 0 deletions
diff --git a/modules/pam_access/access.conf.5 b/modules/pam_access/access.conf.5
new file mode 100644
index 00000000..4221ccfc
--- /dev/null
+++ b/modules/pam_access/access.conf.5
@@ -0,0 +1,170 @@
+.\" Title: access.conf
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
+.\" Date: 04/16/2008
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
+.\"
+.TH "ACCESS\.CONF" "5" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+access.conf - the login access control table file
+.SH "DESCRIPTION"
+.PP
+The
+\fI/etc/security/access\.conf\fR
+file specifies (\fIuser/group\fR,
+\fIhost\fR), (\fIuser/group\fR,
+\fInetwork/netmask\fR) or (\fIuser/group\fR,
+\fItty\fR) combinations for which a login will be either accepted or refused\.
+.PP
+When someone logs in, the file
+\fIaccess\.conf\fR
+is scanned for the first entry that matches the (\fIuser/group\fR,
+\fIhost\fR) or (\fIuser/group\fR,
+\fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser/group\fR,
+\fItty\fR) combination\. The permissions field of that table entry determines whether the login will be accepted or refused\.
+.PP
+Each line of the login access control table has three fields separated by a ":" character (colon):
+.PP
+
+\fIpermission\fR:\fIusers/groups\fR:\fIorigins\fR
+.PP
+The first field, the
+\fIpermission\fR
+field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied\.
+.PP
+The second field, the
+\fIusers\fR/\fIgroup\fR
+field, should be a list of one or more login names, group names, or
+\fIALL\fR
+(which always matches)\. To differentiate user entries from group entries, group entries should be written with brackets, e\.g\.
+\fI(group)\fR\.
+.PP
+The third field, the
+\fIorigins\fR
+field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "\."), host addresses, internet network numbers (end with "\."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also),
+\fIALL\fR
+(which always matches) or
+\fILOCAL\fR
+(which matches any string that does not contain a "\." character)\. If supported by the system you can use
+\fI@netgroupname\fR
+in host or user patterns\.
+.PP
+The
+\fIEXCEPT\fR
+operator makes it possible to write very compact rules\.
+.PP
+If the
+\fBnodefgroup\fR
+is not set, the group file is searched when a name does not match that of the logged\-in user\. Only groups are matched in which users are explicitly listed\. However the PAM module does not look at the primary group id of a user\.
+.PP
+The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line\.
+.SH "EXAMPLES"
+.PP
+These are some example lines which might be specified in
+\fI/etc/security/access\.conf\fR\.
+.PP
+User
+\fIroot\fR
+should be allowed to get access via
+\fIcron\fR, X11 terminal
+\fI:0\fR,
+\fItty1\fR, \.\.\.,
+\fItty5\fR,
+\fItty6\fR\.
+.PP
++ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6
+.PP
+User
+\fIroot\fR
+should be allowed to get access from hosts which own the IPv4 addresses\. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too\.
+.PP
++ : root : 192\.168\.200\.1 192\.168\.200\.4 192\.168\.200\.9
+.PP
++ : root : 127\.0\.0\.1
+.PP
+User
+\fIroot\fR
+should get access from network
+192\.168\.201\.
+where the term will be evaluated by string matching\. But it might be better to use network/netmask instead\. The same meaning of
+192\.168\.201\.
+is
+\fI192\.168\.201\.0/24\fR
+or
+\fI192\.168\.201\.0/255\.255\.255\.0\fR\.
+.PP
++ : root : 192\.168\.201\.
+.PP
+User
+\fIroot\fR
+should be able to have access from hosts
+\fIfoo1\.bar\.org\fR
+and
+\fIfoo2\.bar\.org\fR
+(uses string matching also)\.
+.PP
++ : root : foo1\.bar\.org foo2\.bar\.org
+.PP
+User
+\fIroot\fR
+should be able to have access from domain
+\fIfoo\.bar\.org\fR
+(uses string matching also)\.
+.PP
++ : root : \.foo\.bar\.org
+.PP
+User
+\fIroot\fR
+should be denied to get access from all other sources\.
+.PP
+\- : root : ALL
+.PP
+User
+\fIfoo\fR
+and members of netgroup
+\fIadmins\fR
+should be allowed to get access from all sources\. This will only work if netgroup service is available\.
+.PP
++ : @admins foo : ALL
+.PP
+User
+\fIjohn\fR
+and
+\fIfoo\fR
+should get access from IPv6 host address\.
+.PP
++ : john foo : 2001:4ca0:0:101::1
+.PP
+User
+\fIjohn\fR
+should get access from IPv6 net/mask\.
+.PP
++ : john : 2001:4ca0:0:101::/64
+.PP
+Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group\.
+.PP
+\-:ALL EXCEPT (wheel) shutdown sync:LOCAL
+.PP
+All other users should be denied to get access from all sources\.
+.PP
+\- : ALL : ALL
+.SH "SEE ALSO"
+.PP
+
+\fBpam_access\fR(8),
+\fBpam.d\fR(5),
+\fBpam\fR(8)
+.SH "AUTHORS"
+.PP
+Original
+\fBlogin.access\fR(5)
+manual was provided by Guido van Rooij which was renamed to
+\fBaccess.conf\fR(5)
+to reflect relation to default config file\.
+.PP
+Network address / netmask description and example text was introduced by Mike Becher <mike\.becher@lrz\-muenchen\.de>\.