.\" Title: access.conf
.\" Author: [see the "AUTHORS" section]
.\" Generator: DocBook XSL Stylesheets v1.74.0
.\" Date: 10/27/2010
.\" Manual: Linux-PAM Manual
.\" Source: Linux-PAM Manual
.\" Language: English
.\"
.TH "ACCESS\&.CONF" "5" "10/27/2010" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" -----------------------------------------------------------------
.\" * (re)Define some macros
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" toupper - uppercase a string (locale-aware)
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de toupper
.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
\\$*
.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" SH-xref - format a cross-reference to an SH section
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de SH-xref
.ie n \{\
.\}
.toupper \\$*
.el \{\
\\$*
.\}
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" SH - level-one heading that works better for non-TTY output
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de1 SH
.\" put an extra blank line of space above the head in non-TTY output
.if t \{\
.sp 1
.\}
.sp \\n[PD]u
.nr an-level 1
.set-an-margin
.nr an-prevailing-indent \\n[IN]
.fi
.in \\n[an-margin]u
.ti 0
.HTML-TAG ".NH \\n[an-level]"
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
\." make the size of the head bigger
.ps +3
.ft B
.ne (2v + 1u)
.ie n \{\
.\" if n (TTY output), use uppercase
.toupper \\$*
.\}
.el \{\
.nr an-break-flag 0
.\" if not n (not TTY), use normal case (not uppercase)
\\$1
.in \\n[an-margin]u
.ti 0
.\" if not n (not TTY), put a border/line under subheading
.sp -.6
\l'\n(.lu'
.\}
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" SS - level-two heading that works better for non-TTY output
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de1 SS
.sp \\n[PD]u
.nr an-level 1
.set-an-margin
.nr an-prevailing-indent \\n[IN]
.fi
.in \\n[IN]u
.ti \\n[SN]u
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.ps \\n[PS-SS]u
\." make the size of the head bigger
.ps +2
.ft B
.ne (2v + 1u)
.if \\n[.$] \&\\$*
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" BB/BE - put background/screen (filled box) around block of text
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de BB
.if t \{\
.sp -.5
.br
.in +2n
.ll -2n
.gcolor red
.di BX
.\}
..
.de EB
.if t \{\
.if "\\$2"adjust-for-leading-newline" \{\
.sp -1
.\}
.br
.di
.in
.ll
.gcolor
.nr BW \\n(.lu-\\n(.i
.nr BH \\n(dn+.5v
.ne \\n(BHu+.5v
.ie "\\$2"adjust-for-leading-newline" \{\
\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
.\}
.el \{\
\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
.\}
.in 0
.sp -.5v
.nf
.BX
.in
.sp .5v
.fi
.\}
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" BM/EM - put colored marker in margin next to block of text
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de BM
.if t \{\
.br
.ll -2n
.gcolor red
.di BX
.\}
..
.de EM
.if t \{\
.br
.di
.ll
.gcolor
.nr BH \\n(dn
.ne \\n(BHu
\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
.in 0
.nf
.BX
.in
.fi
.\}
..
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "Name"
access.conf \- the login access control table file
.SH "DESCRIPTION"
.PP
The
\FC/etc/security/access\&.conf\F[]
file specifies (\fIuser/group\fR,
\fIhost\fR), (\fIuser/group\fR,
\fInetwork/netmask\fR) or (\fIuser/group\fR,
\fItty\fR) combinations for which a login will be either accepted or refused\&.
.PP
When someone logs in, the file
\FCaccess\&.conf\F[]
is scanned for the first entry that matches the (\fIuser/group\fR,
\fIhost\fR) or (\fIuser/group\fR,
\fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser/group\fR,
\fItty\fR) combination\&. The permissions field of that table entry determines whether the login will be accepted or refused\&.
.PP
Each line of the login access control table has three fields separated by a ":" character (colon):
.PP
\fIpermission\fR:\fIusers/groups\fR:\fIorigins\fR
.PP
The first field, the
\fIpermission\fR
field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied\&.
.PP
The second field, the
\fIusers\fR/\fIgroup\fR
field, should be a list of one or more login names, group names, or
\fIALL\fR
(which always matches)\&. To differentiate user entries from group entries, group entries should be written with brackets, e\&.g\&.
\fI(group)\fR\&.
.PP
The third field, the
\fIorigins\fR
field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "\&."), host addresses, internet network numbers (end with "\&."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also),
\fIALL\fR
(which always matches) or
\fILOCAL\fR\&.
\fILOCAL\fR
keyword matches if and only if the
\fIPAM_RHOST\fR
is not set and field is thus set from
\fIPAM_TTY\fR
or
\fIPAM_SERVICE\fR"\&. If supported by the system you can use
\fI@netgroupname\fR
in host or user patterns\&. The
\fI@@netgroupname\fR
syntax is supported in the user pattern only and it makes the local system hostname to be passed to the netgroup match call in addition to the user name\&. This might not work correctly on some libc implementations causing the match to always fail\&.
.PP
The
\fIEXCEPT\fR
operator makes it possible to write very compact rules\&.
.PP
If the
\fBnodefgroup\fR
is not set, the group file is searched when a name does not match that of the logged\-in user\&. Only groups are matched in which users are explicitly listed\&. However the PAM module does not look at the primary group id of a user\&.
.PP
The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line\&.
.SH "EXAMPLES"
.PP
These are some example lines which might be specified in
\FC/etc/security/access\&.conf\F[]\&.
.PP
User
\fIroot\fR
should be allowed to get access via
\fIcron\fR, X11 terminal
\fI:0\fR,
\fItty1\fR, \&.\&.\&.,
\fItty5\fR,
\fItty6\fR\&.
.PP
+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6
.PP
User
\fIroot\fR
should be allowed to get access from hosts which own the IPv4 addresses\&. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too\&.
.PP
+ : root : 192\&.168\&.200\&.1 192\&.168\&.200\&.4 192\&.168\&.200\&.9
.PP
+ : root : 127\&.0\&.0\&.1
.PP
User
\fIroot\fR
should get access from network
\FC192\&.168\&.201\&.\F[]
where the term will be evaluated by string matching\&. But it might be better to use network/netmask instead\&. The same meaning of
\FC192\&.168\&.201\&.\F[]
is
\fI192\&.168\&.201\&.0/24\fR
or
\fI192\&.168\&.201\&.0/255\&.255\&.255\&.0\fR\&.
.PP
+ : root : 192\&.168\&.201\&.
.PP
User
\fIroot\fR
should be able to have access from hosts
\fIfoo1\&.bar\&.org\fR
and
\fIfoo2\&.bar\&.org\fR
(uses string matching also)\&.
.PP
+ : root : foo1\&.bar\&.org foo2\&.bar\&.org
.PP
User
\fIroot\fR
should be able to have access from domain
\fIfoo\&.bar\&.org\fR
(uses string matching also)\&.
.PP
+ : root : \&.foo\&.bar\&.org
.PP
User
\fIroot\fR
should be denied to get access from all other sources\&.
.PP
\- : root : ALL
.PP
User
\fIfoo\fR
and members of netgroup
\fIadmins\fR
should be allowed to get access from all sources\&. This will only work if netgroup service is available\&.
.PP
+ : @admins foo : ALL
.PP
User
\fIjohn\fR
and
\fIfoo\fR
should get access from IPv6 host address\&.
.PP
+ : john foo : 2001:db8:0:101::1
.PP
User
\fIjohn\fR
should get access from IPv6 net/mask\&.
.PP
+ : john : 2001:db8:0:101::/64
.PP
Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group\&.
.PP
\-:ALL EXCEPT (wheel) shutdown sync:LOCAL
.PP
All other users should be denied to get access from all sources\&.
.PP
\- : ALL : ALL
.SH "SEE ALSO"
.PP
\fBpam_access\fR(8),
\fBpam.d\fR(5),
\fBpam\fR(8)
.SH "AUTHORS"
.PP
Original
\fBlogin.access\fR(5)
manual was provided by Guido van Rooij which was renamed to
\fBaccess.conf\fR(5)
to reflect relation to default config file\&.
.PP
Network address / netmask description and example text was introduced by Mike Becher \&.