freebsd-dev/contrib/libpam/doc/modules/pam_access.sgml

<!--
   
   pam_access module docs added by Tim Berger <timb@transmeta.com>

-->

<sect1> The access module

<sect2>Synopsis

<p>
<descrip>

<tag><bf>Module Name:</bf></tag>

<tt>pam_access</tt>


<tag><bf>Author[s]:</bf></tag>

Alexei Nogin &lt;alexei@nogin.dnttm.ru&gt;

<tag><bf>Maintainer:</bf></tag>
	
Author

<tag><bf>Management groups provided:</bf></tag>

account

<tag><bf>Cryptographically sensitive:</bf></tag>

<tag><bf>Security rating:</bf></tag>

<tag><bf>Clean code base:</bf></tag>

<tag><bf>System dependencies:</bf></tag> 
Requires a configuration file. By default 
<tt>/etc/security/access.conf</tt> is used but this can be overridden. 

<tag><bf>Network aware:</bf></tag>

Through <tt/PAM_TTY/ if set, otherwise attempts getting tty name of
the stdin file descriptor with <tt/ttyname()/.  Standard
gethostname(), <tt/yp_get_default_domain()/, <tt/gethostbyname()/
calls.  <bf/NIS/ is used for netgroup support.

</descrip>

<sect2>Overview of module

<p>
Provides logdaemon style login access control.

<sect2> Account component

<p>
<descrip>

<tag><bf>Recognized arguments:</bf></tag>

<tt>accessfile=<it>/path/to/file.conf</it></tt>

<tag><bf>Description:</bf></tag>

This module provides logdaemon style login access control based on
login names and on host (or domain) names, internet addresses (or
network numbers), or on terminal line names in case of non-networked
logins. Diagnostics are reported through <tt/syslog(3)/.  Wietse
Venema's <tt/login_access.c/ from <em/logdaemon-5.6/ is used with
several changes by A. Nogin.

<p> 
The behavior of this module can be modified with the following 
arguments: 
<itemize> 
 
<item><tt>accessfile=/path/to/file.conf</tt> - 
indicate an alternative <em/access/ configuration file to override 
the default. This can be useful when different services need different 
access lists. 
 
</itemize> 

<tag><bf>Examples/suggested usage:</bf></tag>

Use of module is recommended, for example, on administrative machines
such as <bf/NIS/ servers and mail servers where you need several accounts
active but don't want them all to have login capability.

For <tt>/etc/pam.d</tt> style configurations where your modules live
in <tt>/lib/security</tt>, start by adding the following line to
<tt>/etc/pam.d/login</tt>, <tt>/etc/pam.d/rlogin</tt>,
<tt>/etc/pam.d/rsh</tt> and <tt>/etc/pam.d/ftp</tt>:

<tscreen>
<verb>
account  required       /lib/security/pam_access.so
</verb>
</tscreen>

Note that use of this module is not effective unless your system ignores
<tt>.rhosts</tt> files.  See the the pam_rhosts_auth documentation.

A sample <tt>access.conf</tt> configuration file is included with the
distribution.

</descrip>
Vendor import Linux PAM 0.75 2001-05-03 09:36:08 +00:00			`<!--`

			`pam_access module docs added by Tim Berger <timb@transmeta.com>`

			`-->`

			`<sect1> The access module`

			`<sect2>Synopsis`

			`<p>`
			`<descrip>`

			`<tag><bf>Module Name:</bf></tag>`

			`<tt>pam_access</tt>`


			`<tag><bf>Author[s]:</bf></tag>`

			`Alexei Nogin <alexei@nogin.dnttm.ru>`

			`<tag><bf>Maintainer:</bf></tag>`

			`Author`

			`<tag><bf>Management groups provided:</bf></tag>`

			`account`

			`<tag><bf>Cryptographically sensitive:</bf></tag>`

			`<tag><bf>Security rating:</bf></tag>`

			`<tag><bf>Clean code base:</bf></tag>`

			`<tag><bf>System dependencies:</bf></tag>`
			`Requires a configuration file. By default`
			`<tt>/etc/security/access.conf</tt> is used but this can be overridden.`

			`<tag><bf>Network aware:</bf></tag>`

			`Through <tt/PAM_TTY/ if set, otherwise attempts getting tty name of`
			`the stdin file descriptor with <tt/ttyname()/. Standard`
			`gethostname(), <tt/yp_get_default_domain()/, <tt/gethostbyname()/`
			`calls. <bf/NIS/ is used for netgroup support.`

			`</descrip>`

			`<sect2>Overview of module`

			`<p>`
			`Provides logdaemon style login access control.`

			`<sect2> Account component`

			`<p>`
			`<descrip>`

			`<tag><bf>Recognized arguments:</bf></tag>`

			`<tt>accessfile=<it>/path/to/file.conf</it></tt>`

			`<tag><bf>Description:</bf></tag>`

			`This module provides logdaemon style login access control based on`
			`login names and on host (or domain) names, internet addresses (or`
			`network numbers), or on terminal line names in case of non-networked`
			`logins. Diagnostics are reported through <tt/syslog(3)/. Wietse`
			`Venema's <tt/login_access.c/ from <em/logdaemon-5.6/ is used with`
			`several changes by A. Nogin.`

			`<p>`
			`The behavior of this module can be modified with the following`
			`arguments:`
			`<itemize>`

			`<item><tt>accessfile=/path/to/file.conf</tt> -`
			`indicate an alternative <em/access/ configuration file to override`
			`the default. This can be useful when different services need different`
			`access lists.`

			`</itemize>`

			`<tag><bf>Examples/suggested usage:</bf></tag>`

			`Use of module is recommended, for example, on administrative machines`
			`such as <bf/NIS/ servers and mail servers where you need several accounts`
			`active but don't want them all to have login capability.`

			`For <tt>/etc/pam.d</tt> style configurations where your modules live`
			`in <tt>/lib/security</tt>, start by adding the following line to`
			`<tt>/etc/pam.d/login</tt>, <tt>/etc/pam.d/rlogin</tt>,`
			`<tt>/etc/pam.d/rsh</tt> and <tt>/etc/pam.d/ftp</tt>:`

			`<tscreen>`
			`<verb>`
			`account required /lib/security/pam_access.so`
			`</verb>`
			`</tscreen>`

			`Note that use of this module is not effective unless your system ignores`
			`<tt>.rhosts</tt> files. See the the pam_rhosts_auth documentation.`

			`A sample <tt>access.conf</tt> configuration file is included with the`
			`distribution.`

			`</descrip>`