2007-10-07 17:16:16 +05:30
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
2008-10-11 17:14:43 +05:30
|
|
|
<!--
|
|
|
|
Copyright (c) 1996 - 2000, Marek Michałkiewicz
|
|
|
|
Copyright (c) 2001 - 2006, Tomasz Kłoczko
|
|
|
|
Copyright (c) 2007 - 2008, Nicolas François
|
|
|
|
All rights reserved.
|
|
|
|
|
|
|
|
Redistribution and use in source and binary forms, with or without
|
|
|
|
modification, are permitted provided that the following conditions
|
|
|
|
are met:
|
|
|
|
1. Redistributions of source code must retain the above copyright
|
|
|
|
notice, this list of conditions and the following disclaimer.
|
|
|
|
2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
notice, this list of conditions and the following disclaimer in the
|
|
|
|
documentation and/or other materials provided with the distribution.
|
|
|
|
3. The name of the copyright holders or contributors may not be used to
|
|
|
|
endorse or promote products derived from this software without
|
|
|
|
specific prior written permission.
|
|
|
|
|
|
|
|
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
|
|
``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
|
|
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
|
|
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
|
|
HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
|
|
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
|
|
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
|
|
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
|
|
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
|
|
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
-->
|
2011-07-09 01:19:09 +05:30
|
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
|
|
<!-- SHADOW-CONFIG-HERE -->
|
|
|
|
]>
|
2007-10-07 17:17:01 +05:30
|
|
|
<refentry id='login.access.5'>
|
2007-11-11 05:16:11 +05:30
|
|
|
<!-- $Id$ -->
|
2012-05-25 17:15:21 +05:30
|
|
|
<refentryinfo>
|
|
|
|
<author>
|
|
|
|
<firstname>Marek</firstname>
|
|
|
|
<surname>Michałkiewicz</surname>
|
|
|
|
<contrib>Creation, 1996</contrib>
|
|
|
|
</author>
|
|
|
|
<author>
|
|
|
|
<firstname>Thomas</firstname>
|
|
|
|
<surname>Kłoczko</surname>
|
|
|
|
<email>kloczek@pld.org.pl</email>
|
|
|
|
<contrib>shadow-utils maintainer, 2000 - 2007</contrib>
|
|
|
|
</author>
|
|
|
|
<author>
|
|
|
|
<firstname>Nicolas</firstname>
|
|
|
|
<surname>François</surname>
|
|
|
|
<email>nicolas.francois@centraliens.net</email>
|
|
|
|
<contrib>shadow-utils maintainer, 2007 - now</contrib>
|
|
|
|
</author>
|
|
|
|
</refentryinfo>
|
2007-10-07 17:16:16 +05:30
|
|
|
<refmeta>
|
2007-10-07 17:17:11 +05:30
|
|
|
<refentrytitle>login.access</refentrytitle>
|
2007-10-07 17:16:16 +05:30
|
|
|
<manvolnum>5</manvolnum>
|
2021-10-16 02:58:12 +05:30
|
|
|
<refmiscinfo class="sectdesc">File Formats and Configuration Files</refmiscinfo>
|
2011-07-09 01:19:09 +05:30
|
|
|
<refmiscinfo class="source">shadow-utils</refmiscinfo>
|
|
|
|
<refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
|
2007-10-07 17:16:16 +05:30
|
|
|
</refmeta>
|
|
|
|
<refnamediv id='name'>
|
|
|
|
<refname>login.access</refname>
|
2007-10-07 17:17:33 +05:30
|
|
|
<refpurpose>login access control table</refpurpose>
|
2007-10-07 17:16:16 +05:30
|
|
|
</refnamediv>
|
2007-10-07 17:17:01 +05:30
|
|
|
|
2007-10-07 17:16:16 +05:30
|
|
|
<refsect1 id='description'>
|
|
|
|
<title>DESCRIPTION</title>
|
|
|
|
<para>
|
2007-10-07 17:17:01 +05:30
|
|
|
The <emphasis remap='I'>login.access</emphasis> file specifies (user,
|
|
|
|
host) combinations and/or (user, tty) combinations for which a login
|
|
|
|
will be either accepted or refused.
|
2007-10-07 17:16:16 +05:30
|
|
|
</para>
|
2007-10-07 17:17:01 +05:30
|
|
|
|
2007-10-07 17:16:16 +05:30
|
|
|
<para>
|
2007-10-07 17:17:01 +05:30
|
|
|
When someone logs in, the <emphasis remap='I'>login.access</emphasis>
|
|
|
|
is scanned for the first entry that matches the (user, host)
|
|
|
|
combination, or, in case of non-networked logins, the first entry that
|
|
|
|
matches the (user, tty) combination. The permissions field of that
|
|
|
|
table entry determines whether the login will be accepted or refused.
|
2007-10-07 17:16:16 +05:30
|
|
|
</para>
|
2007-10-07 17:17:01 +05:30
|
|
|
|
|
|
|
<para>
|
|
|
|
Each line of the login access control table has three fields separated
|
|
|
|
by a ":" character:
|
2007-10-07 17:16:16 +05:30
|
|
|
</para>
|
2007-10-07 17:17:01 +05:30
|
|
|
|
2007-10-07 17:16:16 +05:30
|
|
|
<para>
|
2007-10-07 17:17:11 +05:30
|
|
|
<emphasis remap='I'>permission</emphasis>:<emphasis remap='I'>users</emphasis>:<emphasis remap='I'>origins</emphasis>
|
2007-10-07 17:16:16 +05:30
|
|
|
</para>
|
2007-10-07 17:17:01 +05:30
|
|
|
|
2007-10-07 17:16:16 +05:30
|
|
|
<para>
|
2007-10-07 17:17:01 +05:30
|
|
|
The first field should be a "<emphasis>+</emphasis>" (access granted)
|
|
|
|
or "<emphasis>-</emphasis>" (access denied) character. The second
|
|
|
|
field should be a list of one or more login names, group names, or
|
|
|
|
<emphasis>ALL</emphasis> (always matches). The third field should be a
|
|
|
|
list of one or more tty names (for non-networked logins), host names,
|
2007-10-07 17:16:16 +05:30
|
|
|
domain names (begin with "<literal>.</literal>"), host addresses,
|
2007-10-07 17:17:01 +05:30
|
|
|
internet network numbers (end with "<literal>.</literal>"),
|
|
|
|
<emphasis>ALL</emphasis> (always matches) or
|
|
|
|
<emphasis>LOCAL</emphasis> (matches any string that does not contain a
|
|
|
|
"<literal>.</literal>" character). If you run NIS you can use
|
|
|
|
@netgroupname in host or user patterns.
|
2007-10-07 17:16:16 +05:30
|
|
|
</para>
|
2007-10-07 17:17:01 +05:30
|
|
|
|
2007-10-07 17:16:16 +05:30
|
|
|
<para>
|
2007-10-07 17:17:01 +05:30
|
|
|
The <emphasis>EXCEPT</emphasis> operator makes it possible to write
|
|
|
|
very compact rules.
|
2007-10-07 17:16:16 +05:30
|
|
|
</para>
|
2007-10-07 17:17:01 +05:30
|
|
|
|
|
|
|
<para>
|
|
|
|
The group file is searched only when a name does not match that of the
|
|
|
|
logged-in user. Only groups are matched in which users are explicitly
|
|
|
|
listed: the program does not look at a user's primary group id value.
|
2007-10-07 17:16:16 +05:30
|
|
|
</para>
|
|
|
|
</refsect1>
|
2007-10-07 17:17:01 +05:30
|
|
|
|
2007-10-07 17:16:16 +05:30
|
|
|
<refsect1 id='files'>
|
|
|
|
<title>FILES</title>
|
2007-10-07 17:17:01 +05:30
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term><filename>/etc/login.defs</filename></term>
|
|
|
|
<listitem>
|
2007-10-07 17:17:33 +05:30
|
|
|
<para>Shadow password suite configuration.</para>
|
2007-10-07 17:17:01 +05:30
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
2007-10-07 17:16:16 +05:30
|
|
|
</refsect1>
|
2007-10-07 17:17:01 +05:30
|
|
|
|
2007-10-07 17:16:16 +05:30
|
|
|
<refsect1 id='see_also'>
|
|
|
|
<title>SEE ALSO</title>
|
2007-10-07 17:17:01 +05:30
|
|
|
<para>
|
|
|
|
<citerefentry>
|
|
|
|
<refentrytitle>login</refentrytitle><manvolnum>1</manvolnum>
|
|
|
|
</citerefentry>.
|
2007-10-07 17:16:16 +05:30
|
|
|
</para>
|
|
|
|
</refsect1>
|
|
|
|
</refentry>
|