shadow/man/login.access.5.xml

86 lines
3.0 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8"?>
<refentry id='login.access.5'>
<!-- $Id: login.access.5.xml,v 1.20 2006/05/20 12:11:38 kloczek Exp $ -->
<refmeta>
<refentrytitle>login.access</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo class="sectdesc">File Formats and Conversions</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>login.access</refname>
<refpurpose>login access control table</refpurpose>
</refnamediv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
The <emphasis remap='I'>login.access</emphasis> file specifies (user,
host) combinations and/or (user, tty) combinations for which a login
will be either accepted or refused.
</para>
<para>
When someone logs in, the <emphasis remap='I'>login.access</emphasis>
is scanned for the first entry that matches the (user, host)
combination, or, in case of non-networked logins, the first entry that
matches the (user, tty) combination. The permissions field of that
table entry determines whether the login will be accepted or refused.
</para>
<para>
Each line of the login access control table has three fields separated
by a ":" character:
</para>
<para>
<emphasis remap='I'>permission</emphasis>:<emphasis remap='I'>users</emphasis>:<emphasis remap='I'>origins</emphasis>
</para>
<para>
The first field should be a "<emphasis>+</emphasis>" (access granted)
or "<emphasis>-</emphasis>" (access denied) character. The second
field should be a list of one or more login names, group names, or
<emphasis>ALL</emphasis> (always matches). The third field should be a
list of one or more tty names (for non-networked logins), host names,
domain names (begin with "<literal>.</literal>"), host addresses,
internet network numbers (end with "<literal>.</literal>"),
<emphasis>ALL</emphasis> (always matches) or
<emphasis>LOCAL</emphasis> (matches any string that does not contain a
"<literal>.</literal>" character). If you run NIS you can use
@netgroupname in host or user patterns.
</para>
<para>
The <emphasis>EXCEPT</emphasis> operator makes it possible to write
very compact rules.
</para>
<para>
The group file is searched only when a name does not match that of the
logged-in user. Only groups are matched in which users are explicitly
listed: the program does not look at a user's primary group id value.
</para>
</refsect1>
<refsect1 id='files'>
<title>FILES</title>
<variablelist>
<varlistentry>
<term><filename>/etc/login.defs</filename></term>
<listitem>
<para>Shadow password suite configuration.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='see_also'>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>login</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>.
</para>
</refsect1>
</refentry>