pam_login_access
—
login.access PAM module
[service-name] module-type
control-flag pam_login_access
[options]
The login.access service module for PAM,
pam_login_access
provides functionality for only one
PAM category: account management. In terms of the
module-type parameter, this is the
“account
” feature.
The login.access account management component
(pam_sm_acct_mgmt
()), returns success if and only the
user is allowed to login on the specified tty (in the case of a local login)
or from the specified remote host (in the case of a remote login), according
to the restrictions listed in
login.access(5).
accessfile
=pathname
- specifies a non-standard location for the
login.access configuration file (normally located
in /etc/login.access).
nodefgroup
- makes tokens not enclosed in parentheses only match users, requiring
groups to be specified in parentheses. Without
nodefgroup
user and group names are intermingled,
with user entries taking precedence over group entries. This is not
backwards compatible with legacy login.access
configuration files. However this mitigates confusion between users and
groups of the same name.
fieldsep
=separators
- changes the field separator from the default ":". More than one
separator may be specified.
listsep
=separators
- changes the field separator from the default space (''), tab (\t) and
comma (,). More than one separator may be specified. For example,
listsep=; will replace the default with a semicolon (;). This option may
be useful when specifying Active Directory groupnames which typically
contain spaces.
The
login.access(5)
access control scheme was designed and implemented by Wietse
Venema.
The pam_login_access
module and this
manual page were developed for the FreeBSD Project
by ThinkSec AS and NAI Labs, the Security Research Division of Network
Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
(“CBOSS”), as part of the DARPA CHATS research program.