diff options
Diffstat (limited to 'modules/pam_access/access.conf.5')
-rw-r--r-- | modules/pam_access/access.conf.5 | 334 |
1 files changed, 334 insertions, 0 deletions
diff --git a/modules/pam_access/access.conf.5 b/modules/pam_access/access.conf.5 new file mode 100644 index 0000000..9eef4ea --- /dev/null +++ b/modules/pam_access/access.conf.5 @@ -0,0 +1,334 @@ +.\" Title: access.conf +.\" Author: [see the "AUTHORS" section] +.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/> +.\" Date: 06/21/2011 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "ACCESS\&.CONF" "5" "06/21/2011" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * (re)Define some macros +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" toupper - uppercase a string (locale-aware) +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de toupper +.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ +\\$* +.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" SH-xref - format a cross-reference to an SH section +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de SH-xref +.ie n \{\ +.\} +.toupper \\$* +.el \{\ +\\$* +.\} +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" SH - level-one heading that works better for non-TTY output +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de1 SH +.\" put an extra blank line of space above the head in non-TTY output +.if t \{\ +.sp 1 +.\} +.sp \\n[PD]u +.nr an-level 1 +.set-an-margin +.nr an-prevailing-indent \\n[IN] +.fi +.in \\n[an-margin]u +.ti 0 +.HTML-TAG ".NH \\n[an-level]" +.it 1 an-trap +.nr an-no-space-flag 1 +.nr an-break-flag 1 +\." make the size of the head bigger +.ps +3 +.ft B +.ne (2v + 1u) +.ie n \{\ +.\" if n (TTY output), use uppercase +.toupper \\$* +.\} +.el \{\ +.nr an-break-flag 0 +.\" if not n (not TTY), use normal case (not uppercase) +\\$1 +.in \\n[an-margin]u +.ti 0 +.\" if not n (not TTY), put a border/line under subheading +.sp -.6 +\l'\n(.lu' +.\} +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" SS - level-two heading that works better for non-TTY output +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de1 SS +.sp \\n[PD]u +.nr an-level 1 +.set-an-margin +.nr an-prevailing-indent \\n[IN] +.fi +.in \\n[IN]u +.ti \\n[SN]u +.it 1 an-trap +.nr an-no-space-flag 1 +.nr an-break-flag 1 +.ps \\n[PS-SS]u +\." make the size of the head bigger +.ps +2 +.ft B +.ne (2v + 1u) +.if \\n[.$] \&\\$* +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" BB/BE - put background/screen (filled box) around block of text +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de BB +.if t \{\ +.sp -.5 +.br +.in +2n +.ll -2n +.gcolor red +.di BX +.\} +.. +.de EB +.if t \{\ +.if "\\$2"adjust-for-leading-newline" \{\ +.sp -1 +.\} +.br +.di +.in +.ll +.gcolor +.nr BW \\n(.lu-\\n(.i +.nr BH \\n(dn+.5v +.ne \\n(BHu+.5v +.ie "\\$2"adjust-for-leading-newline" \{\ +\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] +.\} +.el \{\ +\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] +.\} +.in 0 +.sp -.5v +.nf +.BX +.in +.sp .5v +.fi +.\} +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" BM/EM - put colored marker in margin next to block of text +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de BM +.if t \{\ +.br +.ll -2n +.gcolor red +.di BX +.\} +.. +.de EM +.if t \{\ +.br +.di +.ll +.gcolor +.nr BH \\n(dn +.ne \\n(BHu +\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] +.in 0 +.nf +.BX +.in +.fi +.\} +.. +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "Name" +access.conf \- the login access control table file +.SH "DESCRIPTION" +.PP +The +\FC/etc/security/access\&.conf\F[] +file specifies (\fIuser/group\fR, +\fIhost\fR), (\fIuser/group\fR, +\fInetwork/netmask\fR) or (\fIuser/group\fR, +\fItty\fR) combinations for which a login will be either accepted or refused\&. +.PP +When someone logs in, the file +\FCaccess\&.conf\F[] +is scanned for the first entry that matches the (\fIuser/group\fR, +\fIhost\fR) or (\fIuser/group\fR, +\fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser/group\fR, +\fItty\fR) combination\&. The permissions field of that table entry determines whether the login will be accepted or refused\&. +.PP +Each line of the login access control table has three fields separated by a ":" character (colon): +.PP + +\fIpermission\fR:\fIusers/groups\fR:\fIorigins\fR +.PP +The first field, the +\fIpermission\fR +field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied\&. +.PP +The second field, the +\fIusers\fR/\fIgroup\fR +field, should be a list of one or more login names, group names, or +\fIALL\fR +(which always matches)\&. To differentiate user entries from group entries, group entries should be written with brackets, e\&.g\&. +\fI(group)\fR\&. +.PP +The third field, the +\fIorigins\fR +field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "\&."), host addresses, internet network numbers (end with "\&."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also), +\fIALL\fR +(which always matches) or +\fILOCAL\fR\&. +\fILOCAL\fR +keyword matches if and only if the +\fIPAM_RHOST\fR +is not set and <origin> field is thus set from +\fIPAM_TTY\fR +or +\fIPAM_SERVICE\fR"\&. If supported by the system you can use +\fI@netgroupname\fR +in host or user patterns\&. The +\fI@@netgroupname\fR +syntax is supported in the user pattern only and it makes the local system hostname to be passed to the netgroup match call in addition to the user name\&. This might not work correctly on some libc implementations causing the match to always fail\&. +.PP +The +\fIEXCEPT\fR +operator makes it possible to write very compact rules\&. +.PP +If the +\fBnodefgroup\fR +is not set, the group file is searched when a name does not match that of the logged\-in user\&. Only groups are matched in which users are explicitly listed\&. However the PAM module does not look at the primary group id of a user\&. +.PP +The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line\&. +.SH "EXAMPLES" +.PP +These are some example lines which might be specified in +\FC/etc/security/access\&.conf\F[]\&. +.PP +User +\fIroot\fR +should be allowed to get access via +\fIcron\fR, X11 terminal +\fI:0\fR, +\fItty1\fR, \&.\&.\&., +\fItty5\fR, +\fItty6\fR\&. +.PP ++ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6 +.PP +User +\fIroot\fR +should be allowed to get access from hosts which own the IPv4 addresses\&. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too\&. +.PP ++ : root : 192\&.168\&.200\&.1 192\&.168\&.200\&.4 192\&.168\&.200\&.9 +.PP ++ : root : 127\&.0\&.0\&.1 +.PP +User +\fIroot\fR +should get access from network +\FC192\&.168\&.201\&.\F[] +where the term will be evaluated by string matching\&. But it might be better to use network/netmask instead\&. The same meaning of +\FC192\&.168\&.201\&.\F[] +is +\fI192\&.168\&.201\&.0/24\fR +or +\fI192\&.168\&.201\&.0/255\&.255\&.255\&.0\fR\&. +.PP ++ : root : 192\&.168\&.201\&. +.PP +User +\fIroot\fR +should be able to have access from hosts +\fIfoo1\&.bar\&.org\fR +and +\fIfoo2\&.bar\&.org\fR +(uses string matching also)\&. +.PP ++ : root : foo1\&.bar\&.org foo2\&.bar\&.org +.PP +User +\fIroot\fR +should be able to have access from domain +\fIfoo\&.bar\&.org\fR +(uses string matching also)\&. +.PP ++ : root : \&.foo\&.bar\&.org +.PP +User +\fIroot\fR +should be denied to get access from all other sources\&. +.PP +\- : root : ALL +.PP +User +\fIfoo\fR +and members of netgroup +\fIadmins\fR +should be allowed to get access from all sources\&. This will only work if netgroup service is available\&. +.PP ++ : @admins foo : ALL +.PP +User +\fIjohn\fR +and +\fIfoo\fR +should get access from IPv6 host address\&. +.PP ++ : john foo : 2001:db8:0:101::1 +.PP +User +\fIjohn\fR +should get access from IPv6 net/mask\&. +.PP ++ : john : 2001:db8:0:101::/64 +.PP +Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group\&. +.PP +\-:ALL EXCEPT (wheel) shutdown sync:LOCAL +.PP +All other users should be denied to get access from all sources\&. +.PP +\- : ALL : ALL +.SH "SEE ALSO" +.PP + +\fBpam_access\fR(8), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHORS" +.PP +Original +\fBlogin.access\fR(5) +manual was provided by Guido van Rooij which was renamed to +\fBaccess.conf\fR(5) +to reflect relation to default config file\&. +.PP +Network address / netmask description and example text was introduced by Mike Becher <mike\&.becher@lrz\-muenchen\&.de>\&. |