104 lines
3.3 KiB
XML
104 lines
3.3 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
|
<refentry id='loginaccess5'>
|
|
<!-- $Id: login.access.5.xml,v 1.5 2005/06/14 20:18:17 kloczek Exp $ -->
|
|
<!-- this is comment -->
|
|
<refmeta>
|
|
<refentrytitle>LOGIN.ACCESS</refentrytitle>
|
|
<manvolnum>5</manvolnum>
|
|
</refmeta>
|
|
<refnamediv id='name'>
|
|
<refname>login.access</refname>
|
|
<refpurpose>Login access control table</refpurpose>
|
|
</refnamediv>
|
|
<!-- body begins here -->
|
|
|
|
<refsect1 id='description'>
|
|
<title>DESCRIPTION</title>
|
|
<para>
|
|
The <emphasis remap='I'>login.access</emphasis> file specifies
|
|
(user, host) combinations and/or
|
|
(user, tty) combinations for which a login will be either accepted
|
|
or
|
|
refused.
|
|
</para>
|
|
|
|
<para>
|
|
When someone logs in, the <emphasis remap='I'>login.access</emphasis> is
|
|
scanned for the first entry
|
|
that matches the (user, host) combination, or, in case of
|
|
non-networked
|
|
logins, the first entry that matches the (user, tty) combination.
|
|
The
|
|
permissions field of that table entry determines whether the login
|
|
will be
|
|
accepted or refused.
|
|
</para>
|
|
|
|
<para>Each line of the login access control table has three fields
|
|
separated by a
|
|
":" character:
|
|
</para>
|
|
|
|
<para>
|
|
<emphasis remap='I'>permission</emphasis>:<emphasis remap='I'>users</emphasis>:<emphasis remap='I'>
|
|
origins
|
|
</emphasis>
|
|
</para>
|
|
|
|
<para>
|
|
The first field should be a "<emphasis remap='B'>+</emphasis>"
|
|
(access granted) or "<emphasis remap='B'>-</emphasis>" (access
|
|
denied) character. The second field should be a list of one or more
|
|
login
|
|
names, group names, or <emphasis remap='B'>ALL</emphasis> (always
|
|
matches). The third field should be
|
|
a list of one or more tty names (for non-networked logins), host
|
|
names,
|
|
domain names (begin with "<literal>.</literal>"), host addresses,
|
|
internet network
|
|
numbers (end with "<literal>.</literal>"), <emphasis remap='B'>ALL</emphasis> (always matches) or <emphasis remap='B'>
|
|
LOCAL
|
|
</emphasis>
|
|
(matches any string that does not contain a "<literal>.</literal>"
|
|
character). If you run
|
|
NIS you can use @netgroupname in host or user patterns.
|
|
</para>
|
|
|
|
<para>
|
|
The <emphasis remap='B'>EXCEPT</emphasis> operator makes it
|
|
possible to write very compact rules.
|
|
</para>
|
|
|
|
<para>The group file is searched only when a name does not match that
|
|
of the
|
|
logged-in user. Only groups are matched in which users are
|
|
explicitly
|
|
listed: the program does not look at a user's primary group id
|
|
value.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1 id='files'>
|
|
<title>FILES</title>
|
|
<para>
|
|
<filename>/etc/loginn.defs</filename> - shadow password suite
|
|
configuration
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1 id='see_also'>
|
|
<title>SEE ALSO</title>
|
|
<para><citerefentry>
|
|
<refentrytitle>login</refentrytitle><manvolnum>1</manvolnum>
|
|
</citerefentry>
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1 id='author'>
|
|
<title>AUTHOR</title>
|
|
<para>Guido van Rooij</para>
|
|
</refsect1>
|
|
</refentry>
|