| blob | ffe5fff0abea7737bc940ba93075fc885e159155 |
1 # $FreeBSD$
2 #
3 # Login access control table.
4 #
5 # When someone logs in, the table is scanned for the first entry that
6 # matches the (user, host) combination, or, in case of non-networked
7 # logins, the first entry that matches the (user, tty) combination. The
8 # permissions field of that table entry determines whether the login will
9 # be accepted or refused.
10 #
11 # Format of the login access control table is three fields separated by a
12 # ":" character:
13 #
14 # permission : users : origins
15 #
16 # The first field should be a "+" (access granted) or "-" (access denied)
17 # character. The second field should be a list of one or more login names,
18 # group names, or ALL (always matches). The third field should be a list
19 # of one or more tty names (for non-networked logins), host names, domain
20 # names (begin with "."), host addresses, internet network numbers (end
21 # with "."), ALL (always matches) or LOCAL (matches any string that does
22 # not contain a "." character). If you run NIS you can use @netgroupname
23 # in host or user patterns.
24 #
25 # The EXCEPT operator makes it possible to write very compact rules.
26 #
27 # The group file is searched only when a name does not match that of the
28 # logged-in user. Only groups are matched in which users are explicitly
29 # listed: the program does not look at a user's primary group id value.
30 #
31 ##############################################################################
32 #
33 # Disallow console logins to all but a few accounts.
34 #
35 #-:ALL EXCEPT wheel shutdown sync:console
36 #
37 # Disallow non-local logins to privileged accounts (group wheel).
38 #
39 #-:wheel:ALL EXCEPT LOCAL .win.tue.nl
40 #
41 # Some accounts are not allowed to login from anywhere:
42 #
43 #-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
44 #
45 # All other accounts are allowed to login from anywhere.
46 #