]>
Commit | Line | Data |
---|---|---|
da314725 MT |
1 | # $Id$ |
2 | # | |
3 | # Login access control table. | |
4 | # | |
5 | # When someone logs in, the table is scanned for the first entry that | |
6 | # matches the (user, host) combination, or, in case of non-networked | |
7 | # logins, the first entry that matches the (user, tty) combination. The | |
8 | # permissions field of that table entry determines whether the login will | |
9 | # be accepted or refused. | |
10 | # | |
11 | # Format of the login access control table is three fields separated by a | |
12 | # ":" character: | |
13 | # | |
14 | # permission : users : origins | |
15 | # | |
16 | # The first field should be a "+" (access granted) or "-" (access denied) | |
17 | # character. | |
18 | # | |
19 | # The second field should be a list of one or more login names, group | |
20 | # names, or ALL (always matches). A pattern of the form user@host is | |
21 | # matched when the login name matches the "user" part, and when the | |
22 | # "host" part matches the local machine name. | |
23 | # | |
24 | # The third field should be a list of one or more tty names (for | |
25 | # non-networked logins), host names, domain names (begin with "."), host | |
26 | # addresses, internet network numbers (end with "."), ALL (always | |
27 | # matches) or LOCAL (matches any string that does not contain a "." | |
28 | # character). | |
29 | # | |
30 | # If you run NIS you can use @netgroupname in host or user patterns; this | |
31 | # even works for @usergroup@@hostgroup patterns. Weird. | |
32 | # | |
33 | # The EXCEPT operator makes it possible to write very compact rules. | |
34 | # | |
35 | # The group file is searched only when a name does not match that of the | |
36 | # logged-in user. Only groups are matched in which users are explicitly | |
37 | # listed: the program does not look at a user's primary group id value. | |
38 | # | |
39 | ############################################################################## | |
40 | # | |
41 | # Disallow console logins to all but a few accounts. | |
42 | # | |
43 | #-:ALL EXCEPT wheel shutdown sync:console | |
44 | # | |
45 | # Disallow non-local logins to privileged accounts (group wheel). | |
46 | # | |
47 | #-:wheel:ALL EXCEPT LOCAL .win.tue.nl | |
48 | # | |
49 | # Some accounts are not allowed to login from anywhere: | |
50 | # | |
51 | #-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL | |
52 | # | |
53 | # All other accounts are allowed to login from anywhere. | |
54 | # |