NAME
pam_login_access
—
login.access PAM module
SYNOPSIS
[service-name] module-type control-flag pam_login_access [options]
DESCRIPTION
The login.access service module for PAM,pam_login_access
provides functionality for only one
PAM category: account management. In terms of the
module-type parameter, this is the
“account
” feature.
Login.access Account Management Module
The login.access account management
component
(pam_sm_acct_mgmt
()),
returns success if and only the user is allowed to login on the specified
tty (in the case of a local login) or from the specified remote host (in the
case of a remote login), according to the restrictions listed in
login.access(5).
accessfile
=pathname- specifies a non-standard location for the login.access configuration file (normally located in /etc/login.access).
nodefgroup
- makes tokens not enclosed in parentheses only match users, requiring
groups to be specified in parentheses. Without
nodefgroup
user and group names are intermingled, with user entries taking precedence over group entries. This is not backwards compatible with legacy login.access configuration files. However this mitigates confusion between users and groups of the same name. fieldsep
=separators- changes the field separator from the default ":". More than one separator may be specified.
listsep
=separators- changes the field separator from the default space (''), tab (\t) and comma (,). More than one separator may be specified. For example, listsep=; will replace the default with a semicolon (;). This option may be useful when specifying Active Directory groupnames which typically contain spaces.
SEE ALSO
AUTHORS
The login.access(5) access control scheme was designed and implemented by Wietse Venema.
The pam_login_access
module and this
manual page were developed for the FreeBSD Project
by ThinkSec AS and NAI Labs, the Security Research Division of Network
Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
(“CBOSS”), as part of the DARPA CHATS research program.