Changeset View
Changeset View
Standalone View
Standalone View
lib/libpam/modules/pam_login_access/login.access.5
.\" | .\" | ||||
.\" $FreeBSD$ | .\" $FreeBSD$ | ||||
.\" | .\" | ||||
.Dd May 7, 2019 | .Dd January 30, 2020 | ||||
.Dt LOGIN.ACCESS 5 | .Dt LOGIN.ACCESS 5 | ||||
.Os | .Os | ||||
.Sh NAME | .Sh NAME | ||||
.Nm login.access | .Nm login.access | ||||
.Nd login access control table | .Nd login access control table | ||||
.Sh SYNOPSIS | |||||
.Pa /etc/login.access | |||||
.Sh DESCRIPTION | .Sh DESCRIPTION | ||||
The | The | ||||
.Nm | .Nm | ||||
file specifies (user, host) combinations and/or (user, tty) | file specifies (user, host) combinations and/or (user, tty) | ||||
combinations for which a login will be either accepted or refused. | combinations for which a login will be either accepted or refused. | ||||
.Pp | .Pp | ||||
When someone logs in, the | When someone logs in, the | ||||
.Nm | .Nm | ||||
is scanned for the first entry that | is scanned for the first entry that | ||||
matches the (user, host) combination, or, in case of non-networked | matches the (user, host) combination, or, in case of non-networked | ||||
logins, the first entry that matches the (user, tty) combination. | logins, the first entry that matches the (user, tty) combination. | ||||
The | The | ||||
permissions field of that table entry determines whether the login will | permissions field of that table entry determines whether the login will | ||||
be accepted or refused. | be accepted or refused. | ||||
.Pp | .Pp | ||||
Each line of the login access control table has three fields separated by a | Each line of the login access control table has three fields separated by a | ||||
.Ql \&: | .Ql \&: | ||||
character: | character: | ||||
.Ar permission : Ns Ar users : Ns Ar origins | .Ar permission : Ns Ar users : Ns Ar origins | ||||
.Pp | .Pp | ||||
The first field should be a "+" (access granted) or "-" (access denied) | The first field should be a "+" (access granted) or "-" (access denied) | ||||
character. | character. | ||||
.Pp | .Pp | ||||
The second field should be a list of one or more login names, | The second field should be a list of one or more login names, | ||||
group names, or ALL (always matches). | group names, or ALL (always matches). | ||||
Group names must be enclosed in | |||||
parentheses if the pam module specification for | |||||
.Pa pam_login_access | |||||
specifies the | |||||
.Pa nodefgroup | |||||
option. | |||||
Otherwise, group names will only match if no usernames match. | |||||
bcr: You need to make a line break after a sentence stop in man pages. | |||||
Done Inline ActionsA comma after "Otherwise" might be helpful though it's debatable whether it's strictly needed for correctness. bjk: A comma after "Otherwise" might be helpful though it's debatable whether it's strictly needed… | |||||
Done Inline ActionsI don't think a comma is needed but I'll put one in there. cy: I don't think a comma is needed but I'll put one in there. | |||||
.Pp | .Pp | ||||
The third field should be a list | The third field should be a list | ||||
of one or more tty names (for non-networked logins), host names, domain | of one or more tty names (for non-networked logins), host names, domain | ||||
names (begin with "."), host addresses, internet network numbers (end | names (begin with "."), host addresses, internet network numbers (end | ||||
with "."), ALL (always matches) or LOCAL (matches any string that does | with "."), ALL (always matches) or LOCAL (matches any string that does | ||||
not contain a "." character). | not contain a "." character). | ||||
If you run NIS you can use @netgroupname | If you run NIS you can use @netgroupname | ||||
in host or user patterns. | in host or user patterns. | ||||
Show All 17 Lines |
You need to make a line break after a sentence stop in man pages.