1 <?xml version="1.0" encoding='UTF-8'?>
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
5 <refentry id="access.conf">
8 <refentrytitle>access.conf</refentrytitle>
9 <manvolnum>5</manvolnum>
10 <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
14 <refname>access.conf</refname>
15 <refpurpose>the login access control table file</refpurpose>
19 <refsect1 id='access.conf-description'>
20 <title>DESCRIPTION</title>
22 The <filename>/etc/security/access.conf</filename> file specifies
23 (<replaceable>user/group</replaceable>, <replaceable>host</replaceable>),
24 (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>) or
25 (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
26 combinations for which a login will be either accepted or refused.
29 When someone logs in, the file <filename>access.conf</filename> is
30 scanned for the first entry that matches the
31 (<replaceable>user/group</replaceable>, <replaceable>host</replaceable>) or
32 (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>)
33 combination, or, in case of non-networked logins, the first entry
35 (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
36 combination. The permissions field of that table entry determines
37 whether the login will be accepted or refused.
41 Each line of the login access control table has three fields separated
42 by a ":" character (colon):
46 <replaceable>permission</replaceable>:<replaceable>users/groups</replaceable>:<replaceable>origins</replaceable>
51 The first field, the <replaceable>permission</replaceable> field, can be either a
52 "<emphasis>+</emphasis>" character (plus) for access granted or a
53 "<emphasis>-</emphasis>" character (minus) for access denied.
58 <replaceable>users</replaceable>/<replaceable>group</replaceable>
59 field, should be a list of one or more login names, group names, or
60 <emphasis>ALL</emphasis> (which always matches). To differentiate
61 user entries from group entries, group entries should be written
62 with brackets, e.g. <emphasis>(group)</emphasis>.
66 The third field, the <replaceable>origins</replaceable>
67 field, should be a list of one or more tty names (for non-networked
68 logins), host names, domain names (begin with "."), host addresses,
69 internet network numbers (end with "."), internet network addresses
70 with network mask (where network mask can be a decimal number or an
71 internet address also), <emphasis>ALL</emphasis> (which always matches)
72 or <emphasis>LOCAL</emphasis>. <emphasis>LOCAL</emphasis>
73 keyword matches if and only if the <emphasis>PAM_RHOST</emphasis> is
74 not set and <origin> field is thus set from
75 <emphasis>PAM_TTY</emphasis> or <emphasis>PAM_SERVICE</emphasis>".
76 If supported by the system you can use
77 <emphasis>@netgroupname</emphasis> in host or user patterns. The
78 <emphasis>@@netgroupname</emphasis> syntax is supported in the user
79 pattern only and it makes the local system hostname to be passed
80 to the netgroup match call in addition to the user name. This might not
81 work correctly on some libc implementations causing the match to
86 The <replaceable>EXCEPT</replaceable> operator makes it possible to
87 write very compact rules.
91 If the <option>nodefgroup</option> is not set, the group file
92 is searched when a name does not match that of the logged-in
93 user. Only groups are matched in which users are explicitly listed.
94 However the PAM module does not look at the primary group id of a user.
99 The "<emphasis>#</emphasis>" character at start of line (no space
100 at front) can be used to mark this line as a comment line.
105 <refsect1 id="access.conf-examples">
106 <title>EXAMPLES</title>
108 These are some example lines which might be specified in
109 <filename>/etc/security/access.conf</filename>.
113 User <emphasis>root</emphasis> should be allowed to get access via
114 <emphasis>cron</emphasis>, X11 terminal <emphasis remap='I'>:0</emphasis>,
115 <emphasis>tty1</emphasis>, ..., <emphasis>tty5</emphasis>,
116 <emphasis>tty6</emphasis>.
118 <para>+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6</para>
121 User <emphasis>root</emphasis> should be allowed to get access from
122 hosts which own the IPv4 addresses. This does not mean that the
123 connection have to be a IPv4 one, a IPv6 connection from a host with
124 one of this IPv4 addresses does work, too.
126 <para>+ : root : 192.168.200.1 192.168.200.4 192.168.200.9</para>
127 <para>+ : root : 127.0.0.1</para>
130 User <emphasis>root</emphasis> should get access from network
131 <literal>192.168.201.</literal> where the term will be evaluated by
132 string matching. But it might be better to use network/netmask instead.
133 The same meaning of <literal>192.168.201.</literal> is
134 <emphasis>192.168.201.0/24</emphasis> or
135 <emphasis>192.168.201.0/255.255.255.0</emphasis>.
137 <para>+ : root : 192.168.201.</para>
140 User <emphasis>root</emphasis> should be able to have access from hosts
141 <emphasis>foo1.bar.org</emphasis> and <emphasis>foo2.bar.org</emphasis>
142 (uses string matching also).
144 <para>+ : root : foo1.bar.org foo2.bar.org</para>
147 User <emphasis>root</emphasis> should be able to have access from
148 domain <emphasis>foo.bar.org</emphasis> (uses string matching also).
150 <para>+ : root : .foo.bar.org</para>
153 User <emphasis>root</emphasis> should be denied to get access
154 from all other sources.
156 <para>- : root : ALL</para>
159 User <emphasis>foo</emphasis> and members of netgroup
160 <emphasis>admins</emphasis> should be allowed to get access
161 from all sources. This will only work if netgroup service is available.
163 <para>+ : @admins foo : ALL</para>
166 User <emphasis>john</emphasis> and <emphasis>foo</emphasis>
167 should get access from IPv6 host address.
169 <para>+ : john foo : 2001:db8:0:101::1</para>
172 User <emphasis>john</emphasis> should get access from IPv6 net/mask.
174 <para>+ : john : 2001:db8:0:101::/64</para>
177 Disallow console logins to all but the shutdown, sync and all
178 other accounts, which are a member of the wheel group.
180 <para>-:ALL EXCEPT (wheel) shutdown sync:LOCAL</para>
183 All other users should be denied to get access from all sources.
185 <para>- : ALL : ALL</para>
189 <refsect1 id="access.conf-see_also">
190 <title>SEE ALSO</title>
192 <citerefentry><refentrytitle>pam_access</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
193 <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
194 <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
198 <refsect1 id="access.conf-author">
199 <title>AUTHORS</title>
201 Original <citerefentry><refentrytitle>login.access</refentrytitle><manvolnum>5</manvolnum></citerefentry>
202 manual was provided by Guido van Rooij which was renamed to
203 <citerefentry><refentrytitle>access.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
204 to reflect relation to default config file.
207 Network address / netmask description and example text was
208 introduced by Mike Becher <mike.becher@lrz-muenchen.de>.