diff options
Diffstat (limited to 'modules/pam_access/access.conf')
-rw-r--r-- | modules/pam_access/access.conf | 122 |
1 files changed, 122 insertions, 0 deletions
diff --git a/modules/pam_access/access.conf b/modules/pam_access/access.conf new file mode 100644 index 0000000..47b6b84 --- /dev/null +++ b/modules/pam_access/access.conf @@ -0,0 +1,122 @@ +# Login access control table. +# +# Comment line must start with "#", no space at front. +# Order of lines is important. +# +# When someone logs in, the table is scanned for the first entry that +# matches the (user, host) combination, or, in case of non-networked +# logins, the first entry that matches the (user, tty) combination. The +# permissions field of that table entry determines whether the login will +# be accepted or refused. +# +# Format of the login access control table is three fields separated by a +# ":" character: +# +# [Note, if you supply a 'fieldsep=|' argument to the pam_access.so +# module, you can change the field separation character to be +# '|'. This is useful for configurations where you are trying to use +# pam_access with X applications that provide PAM_TTY values that are +# the display variable like "host:0".] +# +# permission:users:origins +# +# The first field should be a "+" (access granted) or "-" (access denied) +# character. +# +# The second field should be a list of one or more login names, group +# names, or ALL (always matches). A pattern of the form user@host is +# matched when the login name matches the "user" part, and when the +# "host" part matches the local machine name. +# +# The third field should be a list of one or more tty names (for +# non-networked logins), host names, domain names (begin with "."), host +# addresses, internet network numbers (end with "."), ALL (always +# matches), NONE (matches no tty on non-networked logins) or +# LOCAL (matches any string that does not contain a "." character). +# +# You can use @netgroupname in host or user patterns; this even works +# for @usergroup@@hostgroup patterns. +# +# The EXCEPT operator makes it possible to write very compact rules. +# +# The group file is searched only when a name does not match that of the +# logged-in user. Both the user's primary group is matched, as well as +# groups in which users are explicitly listed. +# To avoid problems with accounts, which have the same name as a group, +# you can use brackets around group names '(group)' to differentiate. +# In this case, you should also set the "nodefgroup" option. +# +# TTY NAMES: Must be in the form returned by ttyname(3) less the initial +# "/dev" (e.g. tty1 or vc/1) +# +############################################################################## +# +# Disallow non-root logins on tty1 +# +#-:ALL EXCEPT root:tty1 +# +# Disallow console logins to all but a few accounts. +# +#-:ALL EXCEPT wheel shutdown sync:LOCAL +# +# Same, but make sure that really the group wheel and not the user +# wheel is used (use nodefgroup argument, too): +# +#-:ALL EXCEPT (wheel) shutdown sync:LOCAL +# +# Disallow non-local logins to privileged accounts (group wheel). +# +#-:wheel:ALL EXCEPT LOCAL .win.tue.nl +# +# Some accounts are not allowed to login from anywhere: +# +#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL +# +# All other accounts are allowed to login from anywhere. +# +############################################################################## +# All lines from here up to the end are building a more complex example. +############################################################################## +# +# User "root" should be allowed to get access via cron .. tty5 tty6. +#+:root:cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 +# +# User "root" should be allowed to get access from hosts with ip addresses. +#+:root:192.168.200.1 192.168.200.4 192.168.200.9 +#+:root:127.0.0.1 +# +# User "root" should get access from network 192.168.201. +# This term will be evaluated by string matching. +# comment: It might be better to use network/netmask instead. +# The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0 +#+:root:192.168.201. +# +# User "root" should be able to have access from domain. +# Uses string matching also. +#+:root:.foo.bar.org +# +# User "root" should be denied to get access from all other sources. +#-:root:ALL +# +# User "foo" and members of netgroup "nis_group" should be +# allowed to get access from all sources. +# This will only work if netgroup service is available. +#+:@nis_group foo:ALL +# +# User "john" should get access from ipv4 net/mask +#+:john:127.0.0.0/24 +# +# User "john" should get access from ipv4 as ipv6 net/mask +#+:john:::ffff:127.0.0.0/127 +# +# User "john" should get access from ipv6 host address +#+:john:2001:4ca0:0:101::1 +# +# User "john" should get access from ipv6 host address (same as above) +#+:john:2001:4ca0:0:101:0:0:0:1 +# +# User "john" should get access from ipv6 net/mask +#+:john:2001:4ca0:0:101::/64 +# +# All other users should be denied to get access from all sources. +#-:ALL:ALL |