| 1 | # $FreeBSD: src/etc/login.access,v 1.3 1999/08/27 23:23:42 peter Exp $ |
| 2 | # $DragonFly: src/etc/login.access,v 1.2 2003/06/17 04:24:45 dillon Exp $ |
| 3 | # |
| 4 | # Login access control table. |
| 5 | # |
| 6 | # When someone logs in, the table is scanned for the first entry that |
| 7 | # matches the (user, host) combination, or, in case of non-networked |
| 8 | # logins, the first entry that matches the (user, tty) combination. The |
| 9 | # permissions field of that table entry determines whether the login will |
| 10 | # be accepted or refused. |
| 11 | # |
| 12 | # Format of the login access control table is three fields separated by a |
| 13 | # ":" character: |
| 14 | # |
| 15 | # permission : users : origins |
| 16 | # |
| 17 | # The first field should be a "+" (access granted) or "-" (access denied) |
| 18 | # character. The second field should be a list of one or more login names, |
| 19 | # group names, or ALL (always matches). The third field should be a list |
| 20 | # of one or more tty names (for non-networked logins), host names, domain |
| 21 | # names (begin with "."), host addresses, internet network numbers (end |
| 22 | # with "."), ALL (always matches) or LOCAL (matches any string that does |
| 23 | # not contain a "." character). If you run NIS you can use @netgroupname |
| 24 | # in host or user patterns. |
| 25 | # |
| 26 | # The EXCEPT operator makes it possible to write very compact rules. |
| 27 | # |
| 28 | # The group file is searched only when a name does not match that of the |
| 29 | # logged-in user. Only groups are matched in which users are explicitly |
| 30 | # listed: the program does not look at a user's primary group id value. |
| 31 | # |
| 32 | ############################################################################## |
| 33 | # |
| 34 | # Disallow console logins to all but a few accounts. |
| 35 | # |
| 36 | #-:ALL EXCEPT wheel shutdown sync:console |
| 37 | # |
| 38 | # Disallow non-local logins to privileged accounts (group wheel). |
| 39 | # |
| 40 | #-:wheel:ALL EXCEPT LOCAL .win.tue.nl |
| 41 | # |
| 42 | # Some accounts are not allowed to login from anywhere: |
| 43 | # |
| 44 | #-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL |
| 45 | # |
| 46 | # All other accounts are allowed to login from anywhere. |
| 47 | # |