1# $FreeBSD: head/etc/login.access 50472 1999-08-27 23:37:10Z peter $
| 1# $FreeBSD: head/etc/login.access 130151 2004-06-06 11:46:29Z schweikh $
|
2# 3# Login access control table.
| 2# 3# Login access control table.
|
4#
| 4#
|
5# When someone logs in, the table is scanned for the first entry that 6# matches the (user, host) combination, or, in case of non-networked 7# logins, the first entry that matches the (user, tty) combination. The
| 5# When someone logs in, the table is scanned for the first entry that 6# matches the (user, host) combination, or, in case of non-networked 7# logins, the first entry that matches the (user, tty) combination. The
|
8# permissions field of that table entry determines whether the login will
| 8# permissions field of that table entry determines whether the login will
|
9# be accepted or refused.
| 9# be accepted or refused.
|
10#
| 10#
|
11# Format of the login access control table is three fields separated by a 12# ":" character:
| 11# Format of the login access control table is three fields separated by a 12# ":" character:
|
13#
| 13#
|
14# permission : users : origins
| 14# permission : users : origins
|
15#
| 15#
|
16# The first field should be a "+" (access granted) or "-" (access denied) 17# character. The second field should be a list of one or more login names, 18# group names, or ALL (always matches). The third field should be a list 19# of one or more tty names (for non-networked logins), host names, domain 20# names (begin with "."), host addresses, internet network numbers (end 21# with "."), ALL (always matches) or LOCAL (matches any string that does 22# not contain a "." character). If you run NIS you can use @netgroupname 23# in host or user patterns. 24# 25# The EXCEPT operator makes it possible to write very compact rules. 26# 27# The group file is searched only when a name does not match that of the 28# logged-in user. Only groups are matched in which users are explicitly 29# listed: the program does not look at a user's primary group id value. 30# 31##############################################################################
| 16# The first field should be a "+" (access granted) or "-" (access denied) 17# character. The second field should be a list of one or more login names, 18# group names, or ALL (always matches). The third field should be a list 19# of one or more tty names (for non-networked logins), host names, domain 20# names (begin with "."), host addresses, internet network numbers (end 21# with "."), ALL (always matches) or LOCAL (matches any string that does 22# not contain a "." character). If you run NIS you can use @netgroupname 23# in host or user patterns. 24# 25# The EXCEPT operator makes it possible to write very compact rules. 26# 27# The group file is searched only when a name does not match that of the 28# logged-in user. Only groups are matched in which users are explicitly 29# listed: the program does not look at a user's primary group id value. 30# 31##############################################################################
|
32#
| 32#
|
33# Disallow console logins to all but a few accounts. 34# 35#-:ALL EXCEPT wheel shutdown sync:console 36# 37# Disallow non-local logins to privileged accounts (group wheel). 38# 39#-:wheel:ALL EXCEPT LOCAL .win.tue.nl 40# 41# Some accounts are not allowed to login from anywhere: 42# 43#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL 44# 45# All other accounts are allowed to login from anywhere. 46#
| 33# Disallow console logins to all but a few accounts. 34# 35#-:ALL EXCEPT wheel shutdown sync:console 36# 37# Disallow non-local logins to privileged accounts (group wheel). 38# 39#-:wheel:ALL EXCEPT LOCAL .win.tue.nl 40# 41# Some accounts are not allowed to login from anywhere: 42# 43#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL 44# 45# All other accounts are allowed to login from anywhere. 46#
|