1*d3bb1208SEmmanuel Vadot# 2*d3bb1208SEmmanuel Vadot# Login access control table. 3*d3bb1208SEmmanuel Vadot# 4*d3bb1208SEmmanuel Vadot# When someone logs in, the table is scanned for the first entry that 5*d3bb1208SEmmanuel Vadot# matches the (user, host) combination, or, in case of non-networked 6*d3bb1208SEmmanuel Vadot# logins, the first entry that matches the (user, tty) combination. The 7*d3bb1208SEmmanuel Vadot# permissions field of that table entry determines whether the login will 8*d3bb1208SEmmanuel Vadot# be accepted or refused. 9*d3bb1208SEmmanuel Vadot# 10*d3bb1208SEmmanuel Vadot# Format of the login access control table is three fields separated by a 11*d3bb1208SEmmanuel Vadot# ":" character: 12*d3bb1208SEmmanuel Vadot# 13*d3bb1208SEmmanuel Vadot# permission : users : origins 14*d3bb1208SEmmanuel Vadot# 15*d3bb1208SEmmanuel Vadot# The first field should be a "+" (access granted) or "-" (access denied) 16*d3bb1208SEmmanuel Vadot# character. The second field should be a list of one or more login names, 17*d3bb1208SEmmanuel Vadot# group names, or ALL (always matches). The third field should be a list 18*d3bb1208SEmmanuel Vadot# of one or more tty names (for non-networked logins), host names, domain 19*d3bb1208SEmmanuel Vadot# names (begin with "."), host addresses, internet network numbers (end 20*d3bb1208SEmmanuel Vadot# with "."), ALL (always matches) or LOCAL (matches any string that does 21*d3bb1208SEmmanuel Vadot# not contain a "." character). If you run NIS you can use @netgroupname 22*d3bb1208SEmmanuel Vadot# in host or user patterns. 23*d3bb1208SEmmanuel Vadot# 24*d3bb1208SEmmanuel Vadot# The EXCEPT operator makes it possible to write very compact rules. 25*d3bb1208SEmmanuel Vadot# 26*d3bb1208SEmmanuel Vadot# The group file is searched only when a name does not match that of the 27*d3bb1208SEmmanuel Vadot# logged-in user. Only groups are matched in which users are explicitly 28*d3bb1208SEmmanuel Vadot# listed: the program does not look at a user's primary group id value. 29*d3bb1208SEmmanuel Vadot# 30*d3bb1208SEmmanuel Vadot############################################################################## 31*d3bb1208SEmmanuel Vadot# 32*d3bb1208SEmmanuel Vadot# Disallow console logins to all but a few accounts. 33*d3bb1208SEmmanuel Vadot# 34*d3bb1208SEmmanuel Vadot#-:ALL EXCEPT wheel shutdown sync:console 35*d3bb1208SEmmanuel Vadot# 36*d3bb1208SEmmanuel Vadot# Disallow non-local logins to privileged accounts (group wheel). 37*d3bb1208SEmmanuel Vadot# 38*d3bb1208SEmmanuel Vadot#-:wheel:ALL EXCEPT LOCAL .win.tue.nl 39*d3bb1208SEmmanuel Vadot# 40*d3bb1208SEmmanuel Vadot# Some accounts are not allowed to login from anywhere: 41*d3bb1208SEmmanuel Vadot# 42*d3bb1208SEmmanuel Vadot#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL 43*d3bb1208SEmmanuel Vadot# 44*d3bb1208SEmmanuel Vadot# All other accounts are allowed to login from anywhere. 45*d3bb1208SEmmanuel Vadot# 46