| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122 |
- # Login access control table.
- #
- # Comment line must start with "#", no space at front.
- # Order of lines is important.
- #
- # When someone logs in, the table is scanned for the first entry that
- # matches the (user, host) combination, or, in case of non-networked
- # logins, the first entry that matches the (user, tty) combination. The
- # permissions field of that table entry determines whether the login will
- # be accepted or refused.
- #
- # Format of the login access control table is three fields separated by a
- # ":" character:
- #
- # [Note, if you supply a 'fieldsep=|' argument to the pam_access.so
- # module, you can change the field separation character to be
- # '|'. This is useful for configurations where you are trying to use
- # pam_access with X applications that provide PAM_TTY values that are
- # the display variable like "host:0".]
- #
- # permission : users : origins
- #
- # The first field should be a "+" (access granted) or "-" (access denied)
- # character.
- #
- # The second field should be a list of one or more login names, group
- # names, or ALL (always matches). A pattern of the form user@host is
- # matched when the login name matches the "user" part, and when the
- # "host" part matches the local machine name.
- #
- # The third field should be a list of one or more tty names (for
- # non-networked logins), host names, domain names (begin with "."), host
- # addresses, internet network numbers (end with "."), ALL (always
- # matches), NONE (matches no tty on non-networked logins) or
- # LOCAL (matches any string that does not contain a "." character).
- #
- # You can use @netgroupname in host or user patterns; this even works
- # for @usergroup@@hostgroup patterns.
- #
- # The EXCEPT operator makes it possible to write very compact rules.
- #
- # The group file is searched only when a name does not match that of the
- # logged-in user. Both the user's primary group is matched, as well as
- # groups in which users are explicitly listed.
- # To avoid problems with accounts, which have the same name as a group,
- # you can use brackets around group names '(group)' to differentiate.
- # In this case, you should also set the "nodefgroup" option.
- #
- # TTY NAMES: Must be in the form returned by ttyname(3) less the initial
- # "/dev" (e.g. tty1 or vc/1)
- #
- ##############################################################################
- #
- # Disallow non-root logins on tty1
- #
- #-:ALL EXCEPT root:tty1
- #
- # Disallow console logins to all but a few accounts.
- #
- #-:ALL EXCEPT wheel shutdown sync:LOCAL
- #
- # Same, but make sure that really the group wheel and not the user
- # wheel is used (use nodefgroup argument, too):
- #
- #-:ALL EXCEPT (wheel) shutdown sync:LOCAL
- #
- # Disallow non-local logins to privileged accounts (group wheel).
- #
- #-:wheel:ALL EXCEPT LOCAL .win.tue.nl
- #
- # Some accounts are not allowed to login from anywhere:
- #
- #-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
- #
- # All other accounts are allowed to login from anywhere.
- #
- ##############################################################################
- # All lines from here up to the end are building a more complex example.
- ##############################################################################
- #
- # User "root" should be allowed to get access via cron .. tty5 tty6.
- #+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
- #
- # User "root" should be allowed to get access from hosts with ip addresses.
- #+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
- #+ : root : 127.0.0.1
- #
- # User "root" should get access from network 192.168.201.
- # This term will be evaluated by string matching.
- # comment: It might be better to use network/netmask instead.
- # The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0
- #+ : root : 192.168.201.
- #
- # User "root" should be able to have access from domain.
- # Uses string matching also.
- #+ : root : .foo.bar.org
- #
- # User "root" should be denied to get access from all other sources.
- #- : root : ALL
- #
- # User "foo" and members of netgroup "nis_group" should be
- # allowed to get access from all sources.
- # This will only work if netgroup service is available.
- #+ : @nis_group foo : ALL
- #
- # User "john" should get access from ipv4 net/mask
- #+ : john : 127.0.0.0/24
- #
- # User "john" should get access from ipv4 as ipv6 net/mask
- #+ : john : ::ffff:127.0.0.0/127
- #
- # User "john" should get access from ipv6 host address
- #+ : john : 2001:4ca0:0:101::1
- #
- # User "john" should get access from ipv6 host address (same as above)
- #+ : john : 2001:4ca0:0:101:0:0:0:1
- #
- # User "john" should get access from ipv6 net/mask
- #+ : john : 2001:4ca0:0:101::/64
- #
- # All other users should be denied to get access from all sources.
- #- : ALL : ALL
|
