summaryrefslogtreecommitdiffstats
path: root/modules/pam_access/README
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 14:22:51 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 14:22:51 +0000
commit9ada0093e92388590c7368600ca4e9e3e376f0d0 (patch)
treea56fe41110023676d7082028cbaa47ca4b6e6164 /modules/pam_access/README
parentInitial commit. (diff)
downloadpam-9ada0093e92388590c7368600ca4e9e3e376f0d0.tar.xz
pam-9ada0093e92388590c7368600ca4e9e3e376f0d0.zip
Adding upstream version 1.5.2.upstream/1.5.2upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'modules/pam_access/README')
-rw-r--r--modules/pam_access/README131
1 files changed, 131 insertions, 0 deletions
diff --git a/modules/pam_access/README b/modules/pam_access/README
new file mode 100644
index 0000000..26aad33
--- /dev/null
+++ b/modules/pam_access/README
@@ -0,0 +1,131 @@
+pam_access — PAM module for logdaemon style login access control
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+DESCRIPTION
+
+The pam_access PAM module is mainly for access management. It provides
+logdaemon style login access control based on login names, host or domain
+names, internet addresses or network numbers, or on terminal line names, X
+$DISPLAY values, or PAM service names in case of non-networked logins.
+
+By default rules for access management are taken from config file /etc/security
+/access.conf if you don't specify another file. Then individual *.conf files
+from the /etc/security/access.d/ directory are read. The files are parsed one
+after another in the order of the system locale. The effect of the individual
+files is the same as if all the files were concatenated together in the order
+of parsing. This means that once a pattern is matched in some file no further
+files are parsed. If a config file is explicitly specified with the accessfile
+option the files in the above directory are not parsed.
+
+If Linux PAM is compiled with audit support the module will report when it
+denies access based on origin (host, tty, etc.).
+
+OPTIONS
+
+accessfile=/path/to/access.conf
+
+ Indicate an alternative access.conf style configuration file to override
+ the default. This can be useful when different services need different
+ access lists.
+
+debug
+
+ A lot of debug information is printed with syslog(3).
+
+noaudit
+
+ Do not report logins from disallowed hosts and ttys to the audit subsystem.
+
+fieldsep=separators
+
+ This option modifies the field separator character that pam_access will
+ recognize when parsing the access configuration file. For example: fieldsep
+ =| will cause the default `:' character to be treated as part of a field
+ value and `|' becomes the field separator. Doing this may be useful in
+ conjunction with a system that wants to use pam_access with X based
+ applications, since the PAM_TTY item is likely to be of the form
+ "hostname:0" which includes a `:' character in its value. But you should
+ not need this.
+
+listsep=separators
+
+ This option modifies the list separator character that pam_access will
+ recognize when parsing the access configuration file. For example: listsep
+ =, will cause the default ` ' (space) and `\t' (tab) characters to be
+ treated as part of a list element value and `,' becomes the only list
+ element separator. Doing this may be useful on a system with group
+ information obtained from a Windows domain, where the default built-in
+ groups "Domain Users", "Domain Admins" contain a space.
+
+nodefgroup
+
+ User tokens which are not enclosed in parentheses will not be matched
+ against the group database. The backwards compatible default is to try the
+ group database match even for tokens not enclosed in parentheses.
+
+EXAMPLES
+
+These are some example lines which might be specified in /etc/security/
+access.conf.
+
+User root should be allowed to get access via cron, X11 terminal :0, tty1, ...,
+tty5, tty6.
+
++:root:crond :0 tty1 tty2 tty3 tty4 tty5 tty6
+
+User root should be allowed to get access from hosts which own the IPv4
+addresses. This does not mean that the connection have to be a IPv4 one, a IPv6
+connection from a host with one of this IPv4 addresses does work, too.
+
++:root:192.168.200.1 192.168.200.4 192.168.200.9
+
++:root:127.0.0.1
+
+User root should get access from network 192.168.201. where the term will be
+evaluated by string matching. But it might be better to use network/netmask
+instead. The same meaning of 192.168.201. is 192.168.201.0/24 or 192.168.201.0/
+255.255.255.0.
+
++:root:192.168.201.
+
+User root should be able to have access from hosts foo1.bar.org and
+foo2.bar.org (uses string matching also).
+
++:root:foo1.bar.org foo2.bar.org
+
+User root should be able to have access from domain foo.bar.org (uses string
+matching also).
+
++:root:.foo.bar.org
+
+User root should be denied to get access from all other sources.
+
+-:root:ALL
+
+User foo and members of netgroup admins should be allowed to get access from
+all sources. This will only work if netgroup service is available.
+
++:@admins foo:ALL
+
+User john and foo should get access from IPv6 host address.
+
++:john foo:2001:db8:0:101::1
+
+User john should get access from IPv6 net/mask.
+
++:john:2001:db8:0:101::/64
+
+Members of group wheel should be allowed to get access from all sources.
+
++:(wheel):ALL
+
+Disallow console logins to all but the shutdown, sync and all other accounts,
+which are a member of the wheel group.
+
+-:ALL EXCEPT (wheel) shutdown sync:LOCAL
+
+All other users should be denied to get access from all sources.
+
+-:ALL:ALL
+