diff options
Diffstat (limited to 'modules/pam_access/access.conf')
| -rw-r--r-- | modules/pam_access/access.conf | 53 |
1 files changed, 51 insertions, 2 deletions
diff --git a/modules/pam_access/access.conf b/modules/pam_access/access.conf index 98da5faa..b22f1d43 100644 --- a/modules/pam_access/access.conf +++ b/modules/pam_access/access.conf @@ -1,5 +1,8 @@ # Login access control table. # +# Comment line must start with "#", no space at front. +# Order of lines is important. +# # When someone logs in, the table is scanned for the first entry that # matches the (user, host) combination, or, in case of non-networked # logins, the first entry that matches the (user, tty) combination. The @@ -31,8 +34,8 @@ # matches), NONE (matches no tty on non-networked logins) or # LOCAL (matches any string that does not contain a "." character). # -# If you run NIS you can use @netgroupname in host or user patterns; this -# even works for @usergroup@@hostgroup patterns. Weird. +# You can use @netgroupname in host or user patterns; this even works +# for @usergroup@@hostgroup patterns. # # The EXCEPT operator makes it possible to write very compact rules. # @@ -63,3 +66,49 @@ # # All other accounts are allowed to login from anywhere. # +############################################################################## +# All lines from here up to the end are building a more complex example. +############################################################################## +# +# User "root" should be allowed to get access via cron .. tty5 tty6. +#+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 +# +# User "root" should be allowed to get access from hosts with ip addresses. +#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9 +#+ : root : 127.0.0.1 +# +# User "root" should get access from network 192.168.201. +# This term will be evaluated by string matching. +# comment: It might be better to use network/netmask instead. +# The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0 +#+ : root : 192.168.201. +# +# User "root" should be able to have access from domain. +# Uses string matching also. +#+ : root : .foo.bar.org +# +# User "root" should be denied to get access from all other sources. +#- : root : ALL +# +# User "foo" and members of netgroup "nis_group" should be +# allowed to get access from all sources. +# This will only work if netgroup service is available. +#+ : @nis_group foo : ALL +# +# User "john" should get access from ipv4 net/mask +#+ : john : 127.0.0.0/24 +# +# User "john" should get access from ipv4 as ipv6 net/mask +#+ : john : ::ffff:127.0.0.0/127 +# +# User "john" should get access from ipv6 host address +#+ : john : 2001:4ca0:0:101::1 +# +# User "john" should get access from ipv6 host address (same as above) +#+ : john : 2001:4ca0:0:101:0:0:0:1 +# +# User "john" should get access from ipv6 net/mask +#+ : john : 2001:4ca0:0:101::/64 +# +# All other users should be denied to get access from all sources. +#- : ALL : ALL |