3
pam_access module docs added by Tim Berger <timb@transmeta.com>
7
<sect1> The access module
14
<tag><bf>Module Name:</bf></tag>
19
<tag><bf>Author[s]:</bf></tag>
21
Alexei Nogin <alexei@nogin.dnttm.ru>
23
<tag><bf>Maintainer:</bf></tag>
25
<tag><bf>Management groups provided:</bf></tag>
29
<tag><bf>Cryptographically sensitive:</bf></tag>
31
<tag><bf>Security rating:</bf></tag>
33
<tag><bf>Clean code base:</bf></tag>
35
<tag><bf>System dependencies:</bf></tag>
36
Requires a configuration file. By default
37
<tt>/etc/security/access.conf</tt> is used but this can be overridden.
39
<tag><bf>Network aware:</bf></tag>
41
Through <tt/PAM_TTY/ if set, otherwise attempts getting tty name of
42
the stdin file descriptor with <tt/ttyname()/. Standard
43
gethostname(), <tt/yp_get_default_domain()/, <tt/gethostbyname()/
44
calls. <bf/NIS/ is used for netgroup support.
48
<sect2>Overview of module
51
Provides logdaemon style login access control.
53
<sect2> Account component
58
<tag><bf>Recognized arguments:</bf></tag>
60
<tt>accessfile=<it>/path/to/file.conf</it></tt>;
61
<tt>fieldsep=<it>separators</it></tt>
63
<tag><bf>Description:</bf></tag>
65
This module provides logdaemon style login access control based on
66
login names and on host (or domain) names, internet addresses (or
67
network numbers), or on terminal line names in case of non-networked
68
logins. Diagnostics are reported through <tt/syslog(3)/. Wietse
69
Venema's <tt/login_access.c/ from <em/logdaemon-5.6/ is used with
70
several changes by A. Nogin.
73
The behavior of this module can be modified with the following
77
<item><tt>accessfile=/path/to/file.conf</tt> -
78
indicate an alternative <em/access/ configuration file to override
79
the default. This can be useful when different services need different
82
<item><tt>fieldsep=<it>separators</it></tt> -
83
this option modifies the field separator character that
84
<tt/pam_access/ will recognize when parsing the access configuration
85
file. For example: <tt>fieldsep=|</tt> will cause the default `:'
86
character to be treated as part of a field value and `|' becomes the
87
field separator. Doing this is useful in conjuction with a system that
88
wants to use pam_access with X based applications, since the
89
<tt/PAM_TTY/ item is likely to be of the form "hostname:0" which
90
includes a `:' character in its value.
94
<tag><bf>Examples/suggested usage:</bf></tag>
96
Use of module is recommended, for example, on administrative machines
97
such as <bf/NIS/ servers and mail servers where you need several accounts
98
active but don't want them all to have login capability.
100
For <tt>/etc/pam.d</tt> style configurations where your modules live
101
in <tt>/lib/security</tt>, start by adding the following line to
102
<tt>/etc/pam.d/login</tt>, <tt>/etc/pam.d/rlogin</tt>,
103
<tt>/etc/pam.d/rsh</tt> and <tt>/etc/pam.d/ftp</tt>:
107
account required /lib/security/pam_access.so
111
Note that use of this module is not effective unless your system ignores
112
<tt>.rhosts</tt> files. See the the pam_rhosts_auth documentation.
114
A sample <tt>access.conf</tt> configuration file is included with the