# Login access control table.## Comment line must start with "#", no space a

1. # Login access control table.
2. #
3. # Comment line must start with "#", no space at front.
4. # Order of lines is important.
5. #
6. # When someone logs in, the table is scanned for the first entry that
7. # matches the (user, host) combination, or, in case of non-networked
8. # logins, the first entry that matches the (user, tty) combination. The
9. # permissions field of that table entry determines whether the login will
10. # be accepted or refused.
11. #
12. # Format of the login access control table is three fields separated by a
13. # ":" character:
14. #
15. # [Note, if you supply a 'fieldsep=|' argument to the pam_access.so
16. # module, you can change the field separation character to be
17. # '|'. This is useful for configurations where you are trying to use
18. # pam_access with X applications that provide PAM_TTY values that are
19. # the display variable like "host:0".]
20. #
21. # permission : users : origins
22. #
23. # The first field should be a "+" (access granted) or "-" (access denied)
24. # character.
25. #
26. # The second field should be a list of one or more login names, group
27. # names, or ALL (always matches). A pattern of the form user@host is
28. # matched when the login name matches the "user" part, and when the
29. # "host" part matches the local machine name.
30. #
31. # The third field should be a list of one or more tty names (for
32. # non-networked logins), host names, domain names (begin with "."), host
33. # addresses, internet network numbers (end with "."), ALL (always
34. # matches), NONE (matches no tty on non-networked logins) or
35. # LOCAL (matches any string that does not contain a "." character).
36. #
37. # You can use @netgroupname in host or user patterns; this even works
38. # for @usergroup@@hostgroup patterns.
39. #
40. # The EXCEPT operator makes it possible to write very compact rules.
41. #
42. # The group file is searched only when a name does not match that of the
43. # logged-in user. Both the user's primary group is matched, as well as
44. # groups in which users are explicitly listed.
45. # To avoid problems with accounts, which have the same name as a group,
46. # you can use brackets around group names '(group)' to differentiate.
47. # In this case, you should also set the "nodefgroup" option.
48. #
49. # TTY NAMES: Must be in the form returned by ttyname(3) less the initial
50. # "/dev" (e.g. tty1 or vc/1)
51. #
52. ##############################################################################
53. #
54. # Disallow non-root logins on tty1
55. #
56. #-:ALL EXCEPT root:tty1
57. #
58. # Disallow console logins to all but a few accounts.
59. #
60. #-:ALL EXCEPT wheel shutdown sync:LOCAL
61. #
62. # Same, but make sure that really the group wheel and not the user
63. # wheel is used (use nodefgroup argument, too):
64. #
65. #-:ALL EXCEPT (wheel) shutdown sync:LOCAL
66. #
67. # Disallow non-local logins to privileged accounts (group wheel).
68. #
69. #-:wheel:ALL EXCEPT LOCAL .win.tue.nl
70. #
71. # Some accounts are not allowed to login from anywhere:
72. #
73. #-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
74. #
75. # All other accounts are allowed to login from anywhere.
76. #
77. ##############################################################################
78. # All lines from here up to the end are building a more complex example.
79. ##############################################################################
80. #
81. # User "root" should be allowed to get access via cron .. tty5 tty6.
82. #+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
83. #
84. # User "root" should be allowed to get access from hosts with ip addresses.
85. #+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
86. #+ : root : 127.0.0.1
87. #
88. # User "root" should get access from network 192.168.201.
89. # This term will be evaluated by string matching.
90. # comment: It might be better to use network/netmask instead.
91. # The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0
92. #+ : root : 192.168.201.
93. #
94. # User "root" should be able to have access from domain.
95. # Uses string matching also.
96. #+ : root : .foo.bar.org
97. #
98. # User "root" should be denied to get access from all other sources.
99. #- : root : ALL
100. #
101. # User "foo" and members of netgroup "nis_group" should be
102. # allowed to get access from all sources.
103. # This will only work if netgroup service is available.
104. #+ : @nis_group foo : ALL
105. #
106. # User "john" should get access from ipv4 net/mask
107. #+ : john : 127.0.0.0/24
108. #
109. # User "john" should get access from ipv4 as ipv6 net/mask
110. #+ : john : ::ffff:127.0.0.0/127
111. #
112. # User "john" should get access from ipv6 host address
113. #+ : john : 2001:4ca0:0:101::1
114. #
115. # User "john" should get access from ipv6 host address (same as above)
116. #+ : john : 2001:4ca0:0:101:0:0:0:1
117. #
118. # User "john" should get access from ipv6 net/mask
119. #+ : john : 2001:4ca0:0:101::/64
120. #
121. # All other users should be denied to get access from all sources.
122. #- : ALL : ALL