PNG  IHDR* pHYs+ IDATx]n#; cdLb Ǚ[at¤_:uP}>!Usă cag޿ ֵNu`ݼTâabO7uL&y^wFٝA"l[|ŲHLN밪4*sG3|Dv}?+y߉{OuOAt4Jj.u]Gz*҉sP'VQKbA1u\`& Af;HWj hsO;ogTu uj7S3/QzUr&wS`M$X_L7r2;aE+ώ%vikDA:dR+%KzƉo>eOth$z%: :{WwaQ:wz%4foɹE[9<]#ERINƻv溂E%P1i01 |Jvҗ&{b?9g=^wζXn/lK::90KwrюO\!ջ3uzuGv^;騢wq<Iatv09:tt~hEG`v;3@MNZD.1]L:{ծI3`L(÷ba")Y.iljCɄae#I"1 `3*Bdz>j<fU40⨬%O$3cGt]j%Fߠ_twJ;ABU8vP3uEԑwQ V:h%))LfraqX-ۿX]v-\9I gl8tzX ]ecm)-cgʒ#Uw=Wlێn(0hPP/ӨtQ“&J35 $=]r1{tLuǮ*i0_;NƝ8;-vݏr8+U-kruȕYr0RnC]*ެ(M:]gE;{]tg(#ZJ9y>utRDRMdr9㪩̞zֹb<ģ&wzJM"iI( .ꮅX)Qw:9,i좜\Ԛi7&N0:asϓc];=ΗOӣ APqz93 y $)A*kVHZwBƺnWNaby>XMN*45~ղM6Nvm;A=jֲ.~1}(9`KJ/V F9[=`~[;sRuk]rєT!)iQO)Y$V ی ۤmzWz5IM Zb )ˆC`6 rRa}qNmUfDsWuˤV{ Pݝ'=Kֳbg,UҘVz2ﴻnjNgBb{? ߮tcsͻQuxVCIY۠:(V뺕 ٥2;t`@Fo{Z9`;]wMzU~%UA蛚dI vGq\r82iu +St`cR.6U/M9IENDB`# Login access control table. # # Comment line must start with "#", no space at front. # Order of lines is important. # # When someone logs in, the table is scanned for the first entry that # matches the (user, host) combination, or, in case of non-networked # logins, the first entry that matches the (user, tty) combination. The # permissions field of that table entry determines whether the login will # be accepted or refused. # # Format of the login access control table is three fields separated by a # ":" character: # # [Note, if you supply a 'fieldsep=|' argument to the pam_access.so # module, you can change the field separation character to be # '|'. This is useful for configurations where you are trying to use # pam_access with X applications that provide PAM_TTY values that are # the display variable like "host:0".] # # permission:users:origins # # The first field should be a "+" (access granted) or "-" (access denied) # character. # # The second field should be a list of one or more login names, group # names, or ALL (always matches). A pattern of the form user@host is # matched when the login name matches the "user" part, and when the # "host" part matches the local machine name. # # The third field should be a list of one or more tty names (for # non-networked logins), host names, domain names (begin with "."), host # addresses, internet network numbers (end with "."), ALL (always # matches), NONE (matches no tty on non-networked logins) or # LOCAL (matches any string that does not contain a "." character). # # You can use @netgroupname in host or user patterns; this even works # for @usergroup@@hostgroup patterns. # # The EXCEPT operator makes it possible to write very compact rules. # # The group file is searched only when a name does not match that of the # logged-in user. Both the user's primary group is matched, as well as # groups in which users are explicitly listed. # To avoid problems with accounts, which have the same name as a group, # you can use brackets around group names '(group)' to differentiate. # In this case, you should also set the "nodefgroup" option. # # TTY NAMES: Must be in the form returned by ttyname(3) less the initial # "/dev" (e.g. tty1 or vc/1) # ############################################################################## # # Disallow non-root logins on tty1 # #-:ALL EXCEPT root:tty1 # # Disallow console logins to all but a few accounts. # #-:ALL EXCEPT wheel shutdown sync:LOCAL # # Same, but make sure that really the group wheel and not the user # wheel is used (use nodefgroup argument, too): # #-:ALL EXCEPT (wheel) shutdown sync:LOCAL # # Disallow non-local logins to privileged accounts (group wheel). # #-:wheel:ALL EXCEPT LOCAL .win.tue.nl # # Some accounts are not allowed to login from anywhere: # #-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL # # All other accounts are allowed to login from anywhere. # ############################################################################## # All lines from here up to the end are building a more complex example. ############################################################################## # # User "root" should be allowed to get access via cron .. tty5 tty6. #+:root:cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 # # User "root" should be allowed to get access from hosts with ip addresses. #+:root:192.168.200.1 192.168.200.4 192.168.200.9 #+:root:127.0.0.1 # # User "root" should get access from network 192.168.201. # This term will be evaluated by string matching. # comment: It might be better to use network/netmask instead. # The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0 #+:root:192.168.201. # # User "root" should be able to have access from domain. # Uses string matching also. #+:root:.foo.bar.org # # User "root" should be denied to get access from all other sources. #-:root:ALL # # User "foo" and members of netgroup "nis_group" should be # allowed to get access from all sources. # This will only work if netgroup service is available. #+:@nis_group foo:ALL # # User "john" should get access from ipv4 net/mask #+:john:127.0.0.0/24 # # User "john" should get access from ipv4 as ipv6 net/mask #+:john:::ffff:127.0.0.0/127 # # User "john" should get access from ipv6 host address #+:john:2001:4ca0:0:101::1 # # User "john" should get access from ipv6 host address (same as above) #+:john:2001:4ca0:0:101:0:0:0:1 # # User "john" should get access from ipv6 net/mask #+:john:2001:4ca0:0:101::/64 # # All other users should be denied to get access from all sources. #-:ALL:ALL