$FreeBSD: stable/10/lib/libpam/modules/pam_login_access/login.access.5 347420 2019-05-10 01:02:07Z cy $

.Dd May 7, 2019 .Dt LOGIN.ACCESS 5 .Os .Sh NAME .Nm login.access .Nd login access control table .Sh DESCRIPTION The .Nm file specifies (user, host) combinations and/or (user, tty) combinations for which a login will be either accepted or refused.

p When someone logs in, the .Nm is scanned for the first entry that matches the (user, host) combination, or, in case of non-networked logins, the first entry that matches the (user, tty) combination. The permissions field of that table entry determines whether the login will be accepted or refused.

p Each line of the login access control table has three fields separated by a .Ql : character: .Ar permission : Ns Ar users : Ns Ar origins

p The first field should be a "+" (access granted) or "-" (access denied) character.

p The second field should be a list of one or more login names, group names, or ALL (always matches).

p The third field should be a list of one or more tty names (for non-networked logins), host names, domain names (begin with "."), host addresses, internet network numbers (end with "."), ALL (always matches) or LOCAL (matches any string that does not contain a "." character). If you run NIS you can use @netgroupname in host or user patterns.

p The EXCEPT operator makes it possible to write very compact rules.

p The group file is searched only when a name does not match that of the logged-in user. Only groups are matched in which users are explicitly listed: the program does not look at a user's primary group id value. .Sh FILES l -tag -width /etc/login.access -compact t Pa /etc/login.access login access control table .El .Sh SEE ALSO .Xr login 1 , .Xr pam_login_access 8 .Sh AUTHORS .An Guido van Rooij