[people/pmueller/ipfire-2.x.git] / config / shadow / login.access

# $Id$
#
# Login access control table.
# 
# When someone logs in, the table is scanned for the first entry that
# matches the (user, host) combination, or, in case of non-networked
# logins, the first entry that matches the (user, tty) combination.  The
# permissions field of that table entry determines whether the login will 
# be accepted or refused.
# 
# Format of the login access control table is three fields separated by a
# ":" character:
# 
# 	permission : users : origins
# 
# The first field should be a "+" (access granted) or "-" (access denied)
# character. 
#
# The second field should be a list of one or more login names, group
# names, or ALL (always matches). A pattern of the form user@host is
# matched when the login name matches the "user" part, and when the
# "host" part matches the local machine name.
#
# The third field should be a list of one or more tty names (for
# non-networked logins), host names, domain names (begin with "."), host
# addresses, internet network numbers (end with "."), ALL (always
# matches) or LOCAL (matches any string that does not contain a "."
# character).
#
# If you run NIS you can use @netgroupname in host or user patterns; this
# even works for @usergroup@@hostgroup patterns. Weird.
#
# The EXCEPT operator makes it possible to write very compact rules.
#
# The group file is searched only when a name does not match that of the
# logged-in user. Only groups are matched in which users are explicitly
# listed: the program does not look at a user's primary group id value.
#
##############################################################################
# 
# Disallow console logins to all but a few accounts.
#
#-:ALL EXCEPT wheel shutdown sync:console
#
# Disallow non-local logins to privileged accounts (group wheel).
#
#-:wheel:ALL EXCEPT LOCAL .win.tue.nl
#
# Some accounts are not allowed to login from anywhere:
#
#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
#
# All other accounts are allowed to login from anywhere.
#
Commit	Line	Data
da314725 MT	1	# $Id$
	2	#
	3	# Login access control table.
	4	#
	5	# When someone logs in, the table is scanned for the first entry that
	6	# matches the (user, host) combination, or, in case of non-networked
	7	# logins, the first entry that matches the (user, tty) combination. The
	8	# permissions field of that table entry determines whether the login will
	9	# be accepted or refused.
	10	#
	11	# Format of the login access control table is three fields separated by a
	12	# ":" character:
	13	#
	14	# permission : users : origins
	15	#
	16	# The first field should be a "+" (access granted) or "-" (access denied)
	17	# character.
	18	#
	19	# The second field should be a list of one or more login names, group
	20	# names, or ALL (always matches). A pattern of the form user@host is
	21	# matched when the login name matches the "user" part, and when the
	22	# "host" part matches the local machine name.
	23	#
	24	# The third field should be a list of one or more tty names (for
	25	# non-networked logins), host names, domain names (begin with "."), host
	26	# addresses, internet network numbers (end with "."), ALL (always
	27	# matches) or LOCAL (matches any string that does not contain a "."
	28	# character).
	29	#
	30	# If you run NIS you can use @netgroupname in host or user patterns; this
	31	# even works for @usergroup@@hostgroup patterns. Weird.
	32	#
	33	# The EXCEPT operator makes it possible to write very compact rules.
	34	#
	35	# The group file is searched only when a name does not match that of the
	36	# logged-in user. Only groups are matched in which users are explicitly
	37	# listed: the program does not look at a user's primary group id value.
	38	#
	39	##############################################################################
	40	#
	41	# Disallow console logins to all but a few accounts.
	42	#
	43	#-:ALL EXCEPT wheel shutdown sync:console
	44	#
	45	# Disallow non-local logins to privileged accounts (group wheel).
	46	#
	47	#-:wheel:ALL EXCEPT LOCAL .win.tue.nl
	48	#
	49	# Some accounts are not allowed to login from anywhere:
	50	#
	51	#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
	52	#
	53	# All other accounts are allowed to login from anywhere.
	54	#