109 lines
2.6 KiB
Plaintext
109 lines
2.6 KiB
Plaintext
<!--
|
|
|
|
pam_access module docs added by Tim Berger <timb@transmeta.com>
|
|
|
|
-->
|
|
|
|
<sect1> The access module
|
|
|
|
<sect2>Synopsis
|
|
|
|
<p>
|
|
<descrip>
|
|
|
|
<tag><bf>Module Name:</bf></tag>
|
|
|
|
<tt>pam_access</tt>
|
|
|
|
|
|
<tag><bf>Author[s]:</bf></tag>
|
|
|
|
Alexei Nogin <alexei@nogin.dnttm.ru>
|
|
|
|
<tag><bf>Maintainer:</bf></tag>
|
|
|
|
Author
|
|
|
|
<tag><bf>Management groups provided:</bf></tag>
|
|
|
|
account
|
|
|
|
<tag><bf>Cryptographically sensitive:</bf></tag>
|
|
|
|
<tag><bf>Security rating:</bf></tag>
|
|
|
|
<tag><bf>Clean code base:</bf></tag>
|
|
|
|
<tag><bf>System dependencies:</bf></tag>
|
|
Requires a configuration file. By default
|
|
<tt>/etc/security/access.conf</tt> is used but this can be overridden.
|
|
|
|
<tag><bf>Network aware:</bf></tag>
|
|
|
|
Through <tt/PAM_TTY/ if set, otherwise attempts getting tty name of
|
|
the stdin file descriptor with <tt/ttyname()/. Standard
|
|
gethostname(), <tt/yp_get_default_domain()/, <tt/gethostbyname()/
|
|
calls. <bf/NIS/ is used for netgroup support.
|
|
|
|
</descrip>
|
|
|
|
<sect2>Overview of module
|
|
|
|
<p>
|
|
Provides logdaemon style login access control.
|
|
|
|
<sect2> Account component
|
|
|
|
<p>
|
|
<descrip>
|
|
|
|
<tag><bf>Recognized arguments:</bf></tag>
|
|
|
|
<tt>accessfile=<it>/path/to/file.conf</it></tt>
|
|
|
|
<tag><bf>Description:</bf></tag>
|
|
|
|
This module provides logdaemon style login access control based on
|
|
login names and on host (or domain) names, internet addresses (or
|
|
network numbers), or on terminal line names in case of non-networked
|
|
logins. Diagnostics are reported through <tt/syslog(3)/. Wietse
|
|
Venema's <tt/login_access.c/ from <em/logdaemon-5.6/ is used with
|
|
several changes by A. Nogin.
|
|
|
|
<p>
|
|
The behavior of this module can be modified with the following
|
|
arguments:
|
|
<itemize>
|
|
|
|
<item><tt>accessfile=/path/to/file.conf</tt> -
|
|
indicate an alternative <em/access/ configuration file to override
|
|
the default. This can be useful when different services need different
|
|
access lists.
|
|
|
|
</itemize>
|
|
|
|
<tag><bf>Examples/suggested usage:</bf></tag>
|
|
|
|
Use of module is recommended, for example, on administrative machines
|
|
such as <bf/NIS/ servers and mail servers where you need several accounts
|
|
active but don't want them all to have login capability.
|
|
|
|
For <tt>/etc/pam.d</tt> style configurations where your modules live
|
|
in <tt>/lib/security</tt>, start by adding the following line to
|
|
<tt>/etc/pam.d/login</tt>, <tt>/etc/pam.d/rlogin</tt>,
|
|
<tt>/etc/pam.d/rsh</tt> and <tt>/etc/pam.d/ftp</tt>:
|
|
|
|
<tscreen>
|
|
<verb>
|
|
account required /lib/security/pam_access.so
|
|
</verb>
|
|
</tscreen>
|
|
|
|
Note that use of this module is not effective unless your system ignores
|
|
<tt>.rhosts</tt> files. See the the pam_rhosts_auth documentation.
|
|
|
|
A sample <tt>access.conf</tt> configuration file is included with the
|
|
distribution.
|
|
|
|
</descrip>
|