login.access revision 50472
111312Sasmotrak# $FreeBSD: head/etc/login.access 50472 1999-08-27 23:37:10Z peter $ 216824Sweijun# 311312Sasmotrak# Login access control table. 411312Sasmotrak# 511312Sasmotrak# When someone logs in, the table is scanned for the first entry that 611312Sasmotrak# matches the (user, host) combination, or, in case of non-networked 711312Sasmotrak# logins, the first entry that matches the (user, tty) combination. The 811312Sasmotrak# permissions field of that table entry determines whether the login will 911312Sasmotrak# be accepted or refused. 1011312Sasmotrak# 1111312Sasmotrak# Format of the login access control table is three fields separated by a 1211312Sasmotrak# ":" character: 1311312Sasmotrak# 1411312Sasmotrak# permission : users : origins 1511312Sasmotrak# 1611312Sasmotrak# The first field should be a "+" (access granted) or "-" (access denied) 1711312Sasmotrak# character. The second field should be a list of one or more login names, 1811312Sasmotrak# group names, or ALL (always matches). The third field should be a list 1911312Sasmotrak# of one or more tty names (for non-networked logins), host names, domain 2011312Sasmotrak# names (begin with "."), host addresses, internet network numbers (end 2111312Sasmotrak# with "."), ALL (always matches) or LOCAL (matches any string that does 2211312Sasmotrak# not contain a "." character). If you run NIS you can use @netgroupname 2311312Sasmotrak# in host or user patterns. 2411312Sasmotrak# 2517252Siignatyev# The EXCEPT operator makes it possible to write very compact rules. 2611312Sasmotrak# 2711312Sasmotrak# The group file is searched only when a name does not match that of the 2811312Sasmotrak# logged-in user. Only groups are matched in which users are explicitly 2916824Sweijun# listed: the program does not look at a user's primary group id value. 3011312Sasmotrak# 3115334Sweijun############################################################################## 3216824Sweijun# 3314107Schegar# Disallow console logins to all but a few accounts. 3412057Smchung# 3515876Sweijun#-:ALL EXCEPT wheel shutdown sync:console 3612057Smchung# 3712057Smchung# Disallow non-local logins to privileged accounts (group wheel). 3812057Smchung# 3917330Siignatyev#-:wheel:ALL EXCEPT LOCAL .win.tue.nl 4011312Sasmotrak# 4111312Sasmotrak# Some accounts are not allowed to login from anywhere: 4215334Sweijun# 4311312Sasmotrak#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL 4411312Sasmotrak# 4511312Sasmotrak# All other accounts are allowed to login from anywhere. 4611312Sasmotrak# 4711312Sasmotrak