| 3 |
- |
1 |
# Login access control table.
|
|
|
2 |
#
|
|
|
3 |
# Comment line must start with "#", no space at front.
|
|
|
4 |
# Order of lines is important.
|
|
|
5 |
#
|
|
|
6 |
# When someone logs in, the table is scanned for the first entry that
|
|
|
7 |
# matches the (user, host) combination, or, in case of non-networked
|
|
|
8 |
# logins, the first entry that matches the (user, tty) combination. The
|
|
|
9 |
# permissions field of that table entry determines whether the login will
|
|
|
10 |
# be accepted or refused.
|
|
|
11 |
#
|
|
|
12 |
# Format of the login access control table is three fields separated by a
|
|
|
13 |
# ":" character:
|
|
|
14 |
#
|
|
|
15 |
# [Note, if you supply a 'fieldsep=|' argument to the pam_access.so
|
|
|
16 |
# module, you can change the field separation character to be
|
|
|
17 |
# '|'. This is useful for configurations where you are trying to use
|
|
|
18 |
# pam_access with X applications that provide PAM_TTY values that are
|
|
|
19 |
# the display variable like "host:0".]
|
|
|
20 |
#
|
|
|
21 |
# permission : users : origins
|
|
|
22 |
#
|
|
|
23 |
# The first field should be a "+" (access granted) or "-" (access denied)
|
|
|
24 |
# character.
|
|
|
25 |
#
|
|
|
26 |
# The second field should be a list of one or more login names, group
|
|
|
27 |
# names, or ALL (always matches). A pattern of the form user@host is
|
|
|
28 |
# matched when the login name matches the "user" part, and when the
|
|
|
29 |
# "host" part matches the local machine name.
|
|
|
30 |
#
|
|
|
31 |
# The third field should be a list of one or more tty names (for
|
|
|
32 |
# non-networked logins), host names, domain names (begin with "."), host
|
|
|
33 |
# addresses, internet network numbers (end with "."), ALL (always
|
|
|
34 |
# matches), NONE (matches no tty on non-networked logins) or
|
|
|
35 |
# LOCAL (matches any string that does not contain a "." character).
|
|
|
36 |
#
|
|
|
37 |
# You can use @netgroupname in host or user patterns; this even works
|
|
|
38 |
# for @usergroup@@hostgroup patterns.
|
|
|
39 |
#
|
|
|
40 |
# The EXCEPT operator makes it possible to write very compact rules.
|
|
|
41 |
#
|
|
|
42 |
# The group file is searched only when a name does not match that of the
|
|
|
43 |
# logged-in user. Both the user's primary group is matched, as well as
|
|
|
44 |
# groups in which users are explicitly listed.
|
|
|
45 |
# To avoid problems with accounts, which have the same name as a group,
|
|
|
46 |
# you can use brackets around group names '(group)' to differentiate.
|
|
|
47 |
# In this case, you should also set the "nodefgroup" option.
|
|
|
48 |
#
|
|
|
49 |
# TTY NAMES: Must be in the form returned by ttyname(3) less the initial
|
|
|
50 |
# "/dev" (e.g. tty1 or vc/1)
|
|
|
51 |
#
|
|
|
52 |
##############################################################################
|
|
|
53 |
#
|
|
|
54 |
# Disallow non-root logins on tty1
|
|
|
55 |
#
|
|
|
56 |
#-:ALL EXCEPT root:tty1
|
|
|
57 |
#
|
|
|
58 |
# Disallow console logins to all but a few accounts.
|
|
|
59 |
#
|
|
|
60 |
#-:ALL EXCEPT wheel shutdown sync:LOCAL
|
|
|
61 |
#
|
|
|
62 |
# Same, but make sure that really the group wheel and not the user
|
|
|
63 |
# wheel is used (use nodefgroup argument, too):
|
|
|
64 |
#
|
|
|
65 |
#-:ALL EXCEPT (wheel) shutdown sync:LOCAL
|
|
|
66 |
#
|
|
|
67 |
# Disallow non-local logins to privileged accounts (group wheel).
|
|
|
68 |
#
|
|
|
69 |
#-:wheel:ALL EXCEPT LOCAL .win.tue.nl
|
|
|
70 |
#
|
|
|
71 |
# Some accounts are not allowed to login from anywhere:
|
|
|
72 |
#
|
|
|
73 |
#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
|
|
|
74 |
#
|
|
|
75 |
# All other accounts are allowed to login from anywhere.
|
|
|
76 |
#
|
|
|
77 |
##############################################################################
|
|
|
78 |
# All lines from here up to the end are building a more complex example.
|
|
|
79 |
##############################################################################
|
|
|
80 |
#
|
|
|
81 |
# User "root" should be allowed to get access via cron .. tty5 tty6.
|
|
|
82 |
#+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
|
|
|
83 |
#
|
|
|
84 |
# User "root" should be allowed to get access from hosts with ip addresses.
|
|
|
85 |
#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
|
|
|
86 |
#+ : root : 127.0.0.1
|
|
|
87 |
#
|
|
|
88 |
# User "root" should get access from network 192.168.201.
|
|
|
89 |
# This term will be evaluated by string matching.
|
|
|
90 |
# comment: It might be better to use network/netmask instead.
|
|
|
91 |
# The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0
|
|
|
92 |
#+ : root : 192.168.201.
|
|
|
93 |
#
|
|
|
94 |
# User "root" should be able to have access from domain.
|
|
|
95 |
# Uses string matching also.
|
|
|
96 |
#+ : root : .foo.bar.org
|
|
|
97 |
#
|
|
|
98 |
# User "root" should be denied to get access from all other sources.
|
|
|
99 |
#- : root : ALL
|
|
|
100 |
#
|
|
|
101 |
# User "foo" and members of netgroup "nis_group" should be
|
|
|
102 |
# allowed to get access from all sources.
|
|
|
103 |
# This will only work if netgroup service is available.
|
|
|
104 |
#+ : @nis_group foo : ALL
|
|
|
105 |
#
|
|
|
106 |
# User "john" should get access from ipv4 net/mask
|
|
|
107 |
#+ : john : 127.0.0.0/24
|
|
|
108 |
#
|
|
|
109 |
# User "john" should get access from ipv4 as ipv6 net/mask
|
|
|
110 |
#+ : john : ::ffff:127.0.0.0/127
|
|
|
111 |
#
|
|
|
112 |
# User "john" should get access from ipv6 host address
|
|
|
113 |
#+ : john : 2001:4ca0:0:101::1
|
|
|
114 |
#
|
|
|
115 |
# User "john" should get access from ipv6 host address (same as above)
|
|
|
116 |
#+ : john : 2001:4ca0:0:101:0:0:0:1
|
|
|
117 |
#
|
|
|
118 |
# User "john" should get access from ipv6 net/mask
|
|
|
119 |
#+ : john : 2001:4ca0:0:101::/64
|
|
|
120 |
#
|
|
|
121 |
# All other users should be denied to get access from all sources.
|
|
|
122 |
#- : ALL : ALL
|