Blame | Last modification | View Log | RSS feed
# Login access control table.## Comment line must start with "#", no space at front.# Order of lines is important.## When someone logs in, the table is scanned for the first entry that# matches the (user, host) combination, or, in case of non-networked# logins, the first entry that matches the (user, tty) combination. The# permissions field of that table entry determines whether the login will# be accepted or refused.## Format of the login access control table is three fields separated by a# ":" character:## [Note, if you supply a 'fieldsep=|' argument to the pam_access.so# module, you can change the field separation character to be# '|'. This is useful for configurations where you are trying to use# pam_access with X applications that provide PAM_TTY values that are# the display variable like "host:0".]## permission : users : origins## The first field should be a "+" (access granted) or "-" (access denied)# character.## The second field should be a list of one or more login names, group# names, or ALL (always matches). A pattern of the form user@host is# matched when the login name matches the "user" part, and when the# "host" part matches the local machine name.## The third field should be a list of one or more tty names (for# non-networked logins), host names, domain names (begin with "."), host# addresses, internet network numbers (end with "."), ALL (always# matches), NONE (matches no tty on non-networked logins) or# LOCAL (matches any string that does not contain a "." character).## You can use @netgroupname in host or user patterns; this even works# for @usergroup@@hostgroup patterns.## The EXCEPT operator makes it possible to write very compact rules.## The group file is searched only when a name does not match that of the# logged-in user. Both the user's primary group is matched, as well as# groups in which users are explicitly listed.# To avoid problems with accounts, which have the same name as a group,# you can use brackets around group names '(group)' to differentiate.# In this case, you should also set the "nodefgroup" option.## TTY NAMES: Must be in the form returned by ttyname(3) less the initial# "/dev" (e.g. tty1 or vc/1)################################################################################# Disallow non-root logins on tty1##-:ALL EXCEPT root:tty1## Disallow console logins to all but a few accounts.##-:ALL EXCEPT wheel shutdown sync:LOCAL## Same, but make sure that really the group wheel and not the user# wheel is used (use nodefgroup argument, too):##-:ALL EXCEPT (wheel) shutdown sync:LOCAL## Disallow non-local logins to privileged accounts (group wheel).##-:wheel:ALL EXCEPT LOCAL .win.tue.nl## Some accounts are not allowed to login from anywhere:##-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL## All other accounts are allowed to login from anywhere.################################################################################ All lines from here up to the end are building a more complex example.################################################################################ User "root" should be allowed to get access via cron .. tty5 tty6.#+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6## User "root" should be allowed to get access from hosts with ip addresses.#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9#+ : root : 127.0.0.1## User "root" should get access from network 192.168.201.# This term will be evaluated by string matching.# comment: It might be better to use network/netmask instead.# The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0#+ : root : 192.168.201.## User "root" should be able to have access from domain.# Uses string matching also.#+ : root : .foo.bar.org## User "root" should be denied to get access from all other sources.#- : root : ALL## User "foo" and members of netgroup "nis_group" should be# allowed to get access from all sources.# This will only work if netgroup service is available.#+ : @nis_group foo : ALL## User "john" should get access from ipv4 net/mask#+ : john : 127.0.0.0/24## User "john" should get access from ipv4 as ipv6 net/mask#+ : john : ::ffff:127.0.0.0/127## User "john" should get access from ipv6 host address#+ : john : 2001:4ca0:0:101::1## User "john" should get access from ipv6 host address (same as above)#+ : john : 2001:4ca0:0:101:0:0:0:1## User "john" should get access from ipv6 net/mask#+ : john : 2001:4ca0:0:101::/64## All other users should be denied to get access from all sources.#- : ALL : ALL