d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
680ca73945
freebsd-dev/lib/libpam/modules/pam_login_access/login.access.5
Cy Schubert e8c4b9d46b This commit makes significant changes to pam_login_access(8) to bring it 
up to par with the Linux pam_access(8).

Like the Linux pam_access(8) our pam_login_access(8) is a service module
for pam(3) that allows a administrator to limit access from specified
remote hosts or terminals. Unlike the Linux pam_access, pam_login_access
is missing some features which are added by this commit:

Access file can now be specified. The default remains /etc/access.conf.
The syntax is consistent with Linux pam_access.

By default usernames are matched. If the username fails to match a match
against a group name is attempted. The new nodefgroup module option will
only match a username and no attempt to match a group name is made.
Group names must be specified in brackets, "()" when nodefgroup is
specified. Otherwise the old backward compatible behavior is used.
This is consistent with Linux pam_access.

A new field separator module option allows the replacement of the default
colon (:) with any other character. This facilitates potential future
specification of X displays. This is also consistent with Linux pam_access.

A new list separator module option to replace the default space/comma/tab
with another character. This too is consistent with Linux pam_access.

Linux pam_access options not implemented in this commit are the debug
and audit options. These will be implemented at a later date.

Reviewed by:	bjk, bcr (for manpages)
Approved by:	des (blanket, implicit)
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D23198
2020-02-18 11:27:08 +00:00

69 lines
1.9 KiB
Groff
Raw Blame History

.\"
.\" $FreeBSD$
.\"
.Dd January 30, 2020
.Dt LOGIN.ACCESS 5
.Os
.Sh NAME
.Nm login.access
.Nd login access control table
.Sh SYNOPSIS
.Pa /etc/login.access
.Sh DESCRIPTION
The
.Nm
file specifies (user, host) combinations and/or (user, tty)
combinations for which a login will be either accepted or refused.
.Pp
When someone logs in, the
.Nm
is scanned for the first entry that
matches the (user, host) combination, or, in case of non-networked
logins, the first entry that matches the (user, tty) combination.
The
permissions field of that table entry determines whether the login will
be accepted or refused.
.Pp
Each line of the login access control table has three fields separated by a
.Ql \&:
character:
.Ar permission : Ns Ar users : Ns Ar origins
.Pp
The first field should be a "+" (access granted) or "-" (access denied)
character.
.Pp
The second field should be a list of one or more login names,
group names, or ALL (always matches).
Group names must be enclosed in
parentheses if the pam module specification for
.Pa pam_login_access
specifies the
.Pa nodefgroup
option.
Otherwise, group names will only match if no usernames match.
.Pp
The third field should be a list
of one or more tty names (for non-networked logins), host names, domain
names (begin with "."), host addresses, internet network numbers (end
with "."), ALL (always matches) or LOCAL (matches any string that does
not contain a "." character).
If you run NIS you can use @netgroupname
in host or user patterns.
.Pp
The EXCEPT operator makes it possible to write very compact rules.
.Pp
The group file is searched only when a name does not match that of the
logged-in user.
Only groups are matched in which users are explicitly
listed: the program does not look at a user's primary group id value.
.Sh FILES
.Bl -tag -width /etc/login.access -compact
.It Pa /etc/login.access
login access control table
.El
.Sh SEE ALSO
.Xr login 1 ,
.Xr pam_login_access 8
.Sh AUTHORS
.An Guido van Rooij
Reference in New Issue View Git Blame Copy Permalink