summaryrefslogtreecommitdiff
path: root/modules/pam_access/access.conf
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_access/access.conf')
-rw-r--r--modules/pam_access/access.conf122
1 files changed, 122 insertions, 0 deletions
diff --git a/modules/pam_access/access.conf b/modules/pam_access/access.conf
new file mode 100644
index 0000000..74c5fbe
--- /dev/null
+++ b/modules/pam_access/access.conf
@@ -0,0 +1,122 @@
+# Login access control table.
+#
+# Comment line must start with "#", no space at front.
+# Order of lines is important.
+#
+# When someone logs in, the table is scanned for the first entry that
+# matches the (user, host) combination, or, in case of non-networked
+# logins, the first entry that matches the (user, tty) combination. The
+# permissions field of that table entry determines whether the login will
+# be accepted or refused.
+#
+# Format of the login access control table is three fields separated by a
+# ":" character:
+#
+# [Note, if you supply a 'fieldsep=|' argument to the pam_access.so
+# module, you can change the field separation character to be
+# '|'. This is useful for configurations where you are trying to use
+# pam_access with X applications that provide PAM_TTY values that are
+# the display variable like "host:0".]
+#
+# permission : users : origins
+#
+# The first field should be a "+" (access granted) or "-" (access denied)
+# character.
+#
+# The second field should be a list of one or more login names, group
+# names, or ALL (always matches). A pattern of the form user@host is
+# matched when the login name matches the "user" part, and when the
+# "host" part matches the local machine name.
+#
+# The third field should be a list of one or more tty names (for
+# non-networked logins), host names, domain names (begin with "."), host
+# addresses, internet network numbers (end with "."), ALL (always
+# matches), NONE (matches no tty on non-networked logins) or
+# LOCAL (matches any string that does not contain a "." character).
+#
+# You can use @netgroupname in host or user patterns; this even works
+# for @usergroup@@hostgroup patterns.
+#
+# The EXCEPT operator makes it possible to write very compact rules.
+#
+# The group file is searched only when a name does not match that of the
+# logged-in user. Both the user's primary group is matched, as well as
+# groups in which users are explicitly listed.
+# To avoid problems with accounts, which have the same name as a group,
+# you can use brackets around group names '(group)' to differentiate.
+# In this case, you should also set the "nodefgroup" option.
+#
+# TTY NAMES: Must be in the form returned by ttyname(3) less the initial
+# "/dev" (e.g. tty1 or vc/1)
+#
+##############################################################################
+#
+# Disallow non-root logins on tty1
+#
+#-:ALL EXCEPT root:tty1
+#
+# Disallow console logins to all but a few accounts.
+#
+#-:ALL EXCEPT wheel shutdown sync:LOCAL
+#
+# Same, but make sure that really the group wheel and not the user
+# wheel is used (use nodefgroup argument, too):
+#
+#-:ALL EXCEPT (wheel) shutdown sync:LOCAL
+#
+# Disallow non-local logins to privileged accounts (group wheel).
+#
+#-:wheel:ALL EXCEPT LOCAL .win.tue.nl
+#
+# Some accounts are not allowed to login from anywhere:
+#
+#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
+#
+# All other accounts are allowed to login from anywhere.
+#
+##############################################################################
+# All lines from here up to the end are building a more complex example.
+##############################################################################
+#
+# User "root" should be allowed to get access via cron .. tty5 tty6.
+#+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
+#
+# User "root" should be allowed to get access from hosts with ip addresses.
+#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
+#+ : root : 127.0.0.1
+#
+# User "root" should get access from network 192.168.201.
+# This term will be evaluated by string matching.
+# comment: It might be better to use network/netmask instead.
+# The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0
+#+ : root : 192.168.201.
+#
+# User "root" should be able to have access from domain.
+# Uses string matching also.
+#+ : root : .foo.bar.org
+#
+# User "root" should be denied to get access from all other sources.
+#- : root : ALL
+#
+# User "foo" and members of netgroup "nis_group" should be
+# allowed to get access from all sources.
+# This will only work if netgroup service is available.
+#+ : @nis_group foo : ALL
+#
+# User "john" should get access from ipv4 net/mask
+#+ : john : 127.0.0.0/24
+#
+# User "john" should get access from ipv4 as ipv6 net/mask
+#+ : john : ::ffff:127.0.0.0/127
+#
+# User "john" should get access from ipv6 host address
+#+ : john : 2001:4ca0:0:101::1
+#
+# User "john" should get access from ipv6 host address (same as above)
+#+ : john : 2001:4ca0:0:101:0:0:0:1
+#
+# User "john" should get access from ipv6 net/mask
+#+ : john : 2001:4ca0:0:101::/64
+#
+# All other users should be denied to get access from all sources.
+#- : ALL : ALL