diff options
author | guido <guido@FreeBSD.org> | 1994-05-19 18:13:11 +0000 |
---|---|---|
committer | guido <guido@FreeBSD.org> | 1994-05-19 18:13:11 +0000 |
commit | 459ed7e4316bf44797e4098d54efd58a0803b3b6 (patch) | |
tree | bea6080606e2fc5fcfcff2cb5a12f3acd66bde2e /etc/login.access | |
parent | 58c979d79c586f4248423534773a1da04c7d198d (diff) | |
download | FreeBSD-src-459ed7e4316bf44797e4098d54efd58a0803b3b6.zip FreeBSD-src-459ed7e4316bf44797e4098d54efd58a0803b3b6.tar.gz |
1) Added s/key support .
2 Added optional excessive login logging.
3) Added login acces control on a per host/tty base.
4) See skey(1) for skey descriptions and src/usr.bin/login/README
for the logging and access control features.
-Guido
Diffstat (limited to 'etc/login.access')
-rw-r--r-- | etc/login.access | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/etc/login.access b/etc/login.access new file mode 100644 index 0000000..5cf5454 --- /dev/null +++ b/etc/login.access @@ -0,0 +1,44 @@ +# Login access control table. +# +# When someone logs in, the table is scanned for the first entry that +# matches the (user, host) combination, or, in case of non-networked +# logins, the first entry that matches the (user, tty) combination. The +# permissions field of that table entry determines whether the login will +# be accepted or refused. +# +# Format of the login access control table is three fields separated by a +# ":" character: +# +# permission : users : origins +# +# The first field should be a "+" (access granted) or "-" (access denied) +# character. The second field should be a list of one or more login names, +# group names, or ALL (always matches). The third field should be a list +# of one or more tty names (for non-networked logins), host names, domain +# names (begin with "."), host addresses, internet network numbers (end +# with "."), ALL (always matches) or LOCAL (matches any string that does +# not contain a "." character). If you run NIS you can use @netgroupname +# in host or user patterns. +# +# The EXCEPT operator makes it possible to write very compact rules. +# +# The group file is searched only when a name does not match that of the +# logged-in user. Only groups are matched in which users are explicitly +# listed: the program does not look at a user's primary group id value. +# +############################################################################## +# +# Disallow console logins to all but a few accounts. +# +#-:ALL EXCEPT wheel shutdown sync:console +# +# Disallow non-local logins to privileged accounts (group wheel). +# +#-:wheel:ALL EXCEPT LOCAL .win.tue.nl +# +# Some accounts are not allowed to login from anywhere: +# +#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL +# +# All other accounts are allowed to login from anywhere. +# |