|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<refentry id="access.conf">
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<refmeta>
|
|
Packit Service |
b29381 |
<refentrytitle>access.conf</refentrytitle>
|
|
Packit Service |
b29381 |
<manvolnum>5</manvolnum>
|
|
Packit Service |
b29381 |
<refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
|
|
Packit Service |
b29381 |
</refmeta>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<refnamediv>
|
|
Packit Service |
b29381 |
<refname>access.conf</refname>
|
|
Packit Service |
b29381 |
<refpurpose>the login access control table file</refpurpose>
|
|
Packit Service |
b29381 |
</refnamediv>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<refsect1 id='access.conf-description'>
|
|
Packit Service |
b29381 |
<title>DESCRIPTION</title>
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
The <filename>/etc/security/access.conf</filename> file specifies
|
|
Packit Service |
b29381 |
(<replaceable>user/group</replaceable>, <replaceable>host</replaceable>),
|
|
Packit Service |
b29381 |
(<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>),
|
|
Packit Service |
b29381 |
(<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>),
|
|
Packit Service |
b29381 |
(<replaceable>user/group</replaceable>,
|
|
Packit Service |
b29381 |
<replaceable>X-$DISPLAY-value</replaceable>), or
|
|
Packit Service |
b29381 |
(<replaceable>user/group</replaceable>,
|
|
Packit Service |
b29381 |
<replaceable>pam-service-name</replaceable>)
|
|
Packit Service |
b29381 |
combinations for which a login will be either accepted or refused.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
When someone logs in, the file <filename>access.conf</filename> is
|
|
Packit Service |
b29381 |
scanned for the first entry that matches the
|
|
Packit Service |
b29381 |
(<replaceable>user/group</replaceable>, <replaceable>host</replaceable>) or
|
|
Packit Service |
b29381 |
(<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>)
|
|
Packit Service |
b29381 |
combination, or, in case of non-networked logins, the first entry
|
|
Packit Service |
b29381 |
that matches the
|
|
Packit Service |
b29381 |
(<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
|
|
Packit Service |
b29381 |
combination, or in the case of non-networked logins without a
|
|
Packit Service |
b29381 |
tty, the first entry that matches the
|
|
Packit Service |
b29381 |
(<replaceable>user/group</replaceable>,
|
|
Packit Service |
b29381 |
<replaceable>X-$DISPLAY-value</replaceable>) or
|
|
Packit Service |
b29381 |
(<replaceable>user/group</replaceable>,
|
|
Packit Service |
b29381 |
<replaceable>pam-service-name/</replaceable>)
|
|
Packit Service |
b29381 |
combination. The permissions field of that table entry
|
|
Packit Service |
b29381 |
determines
|
|
Packit Service |
b29381 |
whether the login will be accepted or refused.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
Each line of the login access control table has three fields separated
|
|
Packit Service |
b29381 |
by a ":" character (colon):
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
<replaceable>permission</replaceable>:<replaceable>users/groups</replaceable>:<replaceable>origins</replaceable>
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
The first field, the <replaceable>permission</replaceable> field, can be either a
|
|
Packit Service |
b29381 |
"<emphasis>+</emphasis>" character (plus) for access granted or a
|
|
Packit Service |
b29381 |
"<emphasis>-</emphasis>" character (minus) for access denied.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
The second field, the
|
|
Packit Service |
b29381 |
<replaceable>users</replaceable>/<replaceable>group</replaceable>
|
|
Packit Service |
b29381 |
field, should be a list of one or more login names, group names, or
|
|
Packit Service |
b29381 |
<emphasis>ALL</emphasis> (which always matches). To differentiate
|
|
Packit Service |
b29381 |
user entries from group entries, group entries should be written
|
|
Packit Service |
b29381 |
with brackets, e.g. <emphasis>(group)</emphasis>.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
The third field, the <replaceable>origins</replaceable>
|
|
Packit Service |
b29381 |
field, should be a list of one or more tty names (for non-networked
|
|
Packit Service |
b29381 |
logins), X <varname>$DISPLAY</varname> values or PAM service
|
|
Packit Service |
b29381 |
names (for non-networked logins without a tty), host names,
|
|
Packit Service |
b29381 |
domain names (begin with "."), host addresses,
|
|
Packit Service |
b29381 |
internet network numbers (end with "."), internet network addresses
|
|
Packit Service |
b29381 |
with network mask (where network mask can be a decimal number or an
|
|
Packit Service |
b29381 |
internet address also), <emphasis>ALL</emphasis> (which always matches)
|
|
Packit Service |
b29381 |
or <emphasis>LOCAL</emphasis>. The <emphasis>LOCAL</emphasis>
|
|
Packit Service |
b29381 |
keyword matches if and only if
|
|
Packit Service |
b29381 |
<citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
|
Packit Service |
b29381 |
when called with an <parameter>item_type</parameter> of
|
|
Packit Service |
b29381 |
<emphasis>PAM_RHOST</emphasis>, returns NULL or an
|
|
Packit Service |
b29381 |
empty string (and therefore the
|
|
Packit Service |
b29381 |
<replaceable>origins</replaceable> field is compared against the
|
|
Packit Service |
b29381 |
return value of
|
|
Packit Service |
b29381 |
<citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
|
Packit Service |
b29381 |
called with an <parameter>item_type</parameter> of
|
|
Packit Service |
b29381 |
<emphasis>PAM_TTY</emphasis> or, absent that,
|
|
Packit Service |
b29381 |
<emphasis>PAM_SERVICE</emphasis>).
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
If supported by the system you can use
|
|
Packit Service |
b29381 |
<emphasis>@netgroupname</emphasis> in host or user patterns. The
|
|
Packit Service |
b29381 |
<emphasis>@@netgroupname</emphasis> syntax is supported in the user
|
|
Packit Service |
b29381 |
pattern only and it makes the local system hostname to be passed
|
|
Packit Service |
b29381 |
to the netgroup match call in addition to the user name. This might not
|
|
Packit Service |
b29381 |
work correctly on some libc implementations causing the match to
|
|
Packit Service |
b29381 |
always fail.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
The <replaceable>EXCEPT</replaceable> operator makes it possible to
|
|
Packit Service |
b29381 |
write very compact rules.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
If the <option>nodefgroup</option> is not set, the group file
|
|
Packit Service |
b29381 |
is searched when a name does not match that of the logged-in
|
|
Packit Service |
b29381 |
user. Only groups are matched in which users are explicitly listed.
|
|
Packit Service |
b29381 |
However the PAM module does not look at the primary group id of a user.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
The "<emphasis>#</emphasis>" character at start of line (no space
|
|
Packit Service |
b29381 |
at front) can be used to mark this line as a comment line.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
</refsect1>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<refsect1 id="access.conf-examples">
|
|
Packit Service |
b29381 |
<title>EXAMPLES</title>
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
These are some example lines which might be specified in
|
|
Packit Service |
b29381 |
<filename>/etc/security/access.conf</filename>.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
User <emphasis>root</emphasis> should be allowed to get access via
|
|
Packit Service |
b29381 |
<emphasis>cron</emphasis>, X11 terminal <emphasis remap='I'>:0</emphasis>,
|
|
Packit Service |
b29381 |
<emphasis>tty1</emphasis>, ..., <emphasis>tty5</emphasis>,
|
|
Packit Service |
b29381 |
<emphasis>tty6</emphasis>.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
<para>+:root:crond :0 tty1 tty2 tty3 tty4 tty5 tty6</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
User <emphasis>root</emphasis> should be allowed to get access from
|
|
Packit Service |
b29381 |
hosts which own the IPv4 addresses. This does not mean that the
|
|
Packit Service |
b29381 |
connection have to be a IPv4 one, a IPv6 connection from a host with
|
|
Packit Service |
b29381 |
one of this IPv4 addresses does work, too.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
<para>+:root:192.168.200.1 192.168.200.4 192.168.200.9</para>
|
|
Packit Service |
b29381 |
<para>+:root:127.0.0.1</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
User <emphasis>root</emphasis> should get access from network
|
|
Packit Service |
b29381 |
<literal>192.168.201.</literal> where the term will be evaluated by
|
|
Packit Service |
b29381 |
string matching. But it might be better to use network/netmask instead.
|
|
Packit Service |
b29381 |
The same meaning of <literal>192.168.201.</literal> is
|
|
Packit Service |
b29381 |
<emphasis>192.168.201.0/24</emphasis> or
|
|
Packit Service |
b29381 |
<emphasis>192.168.201.0/255.255.255.0</emphasis>.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
<para>+:root:192.168.201.</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
User <emphasis>root</emphasis> should be able to have access from hosts
|
|
Packit Service |
b29381 |
<emphasis>foo1.bar.org</emphasis> and <emphasis>foo2.bar.org</emphasis>
|
|
Packit Service |
b29381 |
(uses string matching also).
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
<para>+:root:foo1.bar.org foo2.bar.org</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
User <emphasis>root</emphasis> should be able to have access from
|
|
Packit Service |
b29381 |
domain <emphasis>foo.bar.org</emphasis> (uses string matching also).
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
<para>+:root:.foo.bar.org</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
User <emphasis>root</emphasis> should be denied to get access
|
|
Packit Service |
b29381 |
from all other sources.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
<para>-:root:ALL</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
User <emphasis>foo</emphasis> and members of netgroup
|
|
Packit Service |
b29381 |
<emphasis>admins</emphasis> should be allowed to get access
|
|
Packit Service |
b29381 |
from all sources. This will only work if netgroup service is available.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
<para>+:@admins foo:ALL</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
User <emphasis>john</emphasis> and <emphasis>foo</emphasis>
|
|
Packit Service |
b29381 |
should get access from IPv6 host address.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
<para>+:john foo:2001:db8:0:101::1</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
User <emphasis>john</emphasis> should get access from IPv6 net/mask.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
<para>+:john:2001:db8:0:101::/64</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
Disallow console logins to all but the shutdown, sync and all
|
|
Packit Service |
b29381 |
other accounts, which are a member of the wheel group.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
<para>-:ALL EXCEPT (wheel) shutdown sync:LOCAL</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
All other users should be denied to get access from all sources.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
<para>-:ALL:ALL</para>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
</refsect1>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<refsect1 id="access.conf-notes">
|
|
Packit Service |
b29381 |
<title>NOTES</title>
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
The default separators of list items in a field are space, ',', and tabulator
|
|
Packit Service |
b29381 |
characters. Thus conveniently if spaces are put at the beginning and the end of
|
|
Packit Service |
b29381 |
the fields they are ignored. However if the list separator is changed with the
|
|
Packit Service |
b29381 |
<emphasis>listsep</emphasis> option, the spaces will become part of the actual
|
|
Packit Service |
b29381 |
item and the line will be most probably ignored. For this reason, it is not
|
|
Packit Service |
b29381 |
recommended to put spaces around the ':' characters.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
</refsect1>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<refsect1 id="access.conf-see_also">
|
|
Packit Service |
b29381 |
<title>SEE ALSO</title>
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
<citerefentry><refentrytitle>pam_access</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
|
Packit Service |
b29381 |
<citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
Packit Service |
b29381 |
<citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
</refsect1>
|
|
Packit Service |
b29381 |
|
|
Packit Service |
b29381 |
<refsect1 id="access.conf-author">
|
|
Packit Service |
b29381 |
<title>AUTHORS</title>
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
Original <citerefentry><refentrytitle>login.access</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
Packit Service |
b29381 |
manual was provided by Guido van Rooij which was renamed to
|
|
Packit Service |
b29381 |
<citerefentry><refentrytitle>access.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
Packit Service |
b29381 |
to reflect relation to default config file.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
<para>
|
|
Packit Service |
b29381 |
Network address / netmask description and example text was
|
|
Packit Service |
b29381 |
introduced by Mike Becher <mike.becher@lrz-muenchen.de>.
|
|
Packit Service |
b29381 |
</para>
|
|
Packit Service |
b29381 |
</refsect1>
|
|
Packit Service |
b29381 |
</refentry>
|