LinuxCommandLibrary

pam_access

Control login access based on rules

SYNOPSIS

pam_access.so [debug] [config=config_file]

PARAMETERS

debug
    Enables verbose debugging output to syslog.

config=config_file
    Specifies an alternative configuration file to use instead of the default /etc/security/access.conf.

DESCRIPTION

The pam_access PAM module provides access control based on login names, hostnames/IP addresses, and network groups. It uses a configuration file (typically /etc/security/access.conf) to define rules for granting or denying access. The module checks the user's account name against a list of permitted and denied login names or groups, and the client's hostname/IP address against a list of allowed or disallowed hosts/networks. This allows system administrators to centrally manage login access restrictions based on various criteria. pam_access is typically used within PAM configuration files (e.g., /etc/pam.d/login, /etc/pam.d/sshd) to control access during authentication. It offers a flexible and configurable way to enhance system security by limiting login privileges based on the user's identity and network location. The module supports combinations of users, groups and host/network combinations to create fine-grained access policies. It's important to properly configure access.conf to avoid unintended lockouts.

CAVEATS

Improperly configured access.conf can lock out legitimate users and administrators.
Be cautious when using wildcards or network addresses in access rules.
The order of rules in access.conf is significant: the first matching rule determines the outcome.

<B>ACCESS.CONF SYNTAX</B>

The access.conf file uses a simple syntax:
permission : users/groups : origins

Where:
permission is either '+' (grant access) or '-' (deny access).
users/groups is a comma-separated list of usernames, group names (prefixed with '@'), or wildcards ('ALL', 'LOCAL').
origins is a comma-separated list of hostnames, IP addresses, network addresses (e.g., 192.168.1.0/24), or keywords ('ALL', 'LOCAL').

<B>EXAMPLE ACCESS.CONF RULE</B>

+ : root : ALL
This rule grants root access from all locations.

- : ALL : 192.168.1.0/24
This rule denies everyone access from machines on the 192.168.1.0/24 network.

+ : @wheel : ALL EXCEPT LOCAL
This rule grants users in the wheel group access from all hosts except those considered 'LOCAL'.

SEE ALSO

access.conf(5), pam.conf(5), pam(8)

Copied to clipboard