diff options
author | Christian Grothoff <christian@grothoff.org> | 2021-08-29 14:11:21 +0200 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2021-08-29 14:11:21 +0200 |
commit | 4234a2882f0812be37721b6b7a58156260d52379 (patch) | |
tree | 9394eba47021a7050c7764b7fed0689d5a15b6fa /grid5000/steps/data/setup/puppet/modules/env/files/std/oar/etc/security/access.conf | |
download | grid5k-4234a2882f0812be37721b6b7a58156260d52379.tar.gz grid5k-4234a2882f0812be37721b6b7a58156260d52379.tar.bz2 grid5k-4234a2882f0812be37721b6b7a58156260d52379.zip |
initial import
Diffstat (limited to 'grid5000/steps/data/setup/puppet/modules/env/files/std/oar/etc/security/access.conf')
-rw-r--r-- | grid5000/steps/data/setup/puppet/modules/env/files/std/oar/etc/security/access.conf | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/grid5000/steps/data/setup/puppet/modules/env/files/std/oar/etc/security/access.conf b/grid5000/steps/data/setup/puppet/modules/env/files/std/oar/etc/security/access.conf new file mode 100644 index 0000000..d5a4ebb --- /dev/null +++ b/grid5000/steps/data/setup/puppet/modules/env/files/std/oar/etc/security/access.conf @@ -0,0 +1,66 @@ +# Login access control table. +# +# When someone logs in, the table is scanned for the first entry that +# matches the (user, host) combination, or, in case of non-networked +# logins, the first entry that matches the (user, tty) combination. The +# permissions field of that table entry determines whether the login will +# be accepted or refused. +# +# Format of the login access control table is three fields separated by a +# ":" character: +# +# [Note, if you supply a 'fieldsep=|' argument to the pam_access.so +# module, you can change the field separation character to be +# '|'. This is useful for configurations where you are trying to use +# pam_access with X applications that provide PAM_TTY values that are +# the display variable like "host:0".] +# +# permission : users : origins +# +# The first field should be a "+" (access granted) or "-" (access denied) +# character. +# +# The second field should be a list of one or more login names, group +# names, or ALL (always matches). A pattern of the form user@host is +# matched when the login name matches the "user" part, and when the +# "host" part matches the local machine name. +# +# The third field should be a list of one or more tty names (for +# non-networked logins), host names, domain names (begin with "."), host +# addresses, internet network numbers (end with "."), ALL (always +# matches) or LOCAL (matches any string that does not contain a "." +# character). +# +# If you run NIS you can use @netgroupname in host or user patterns; this +# even works for @usergroup@@hostgroup patterns. Weird. +# +# The EXCEPT operator makes it possible to write very compact rules. +# +# The group file is searched only when a name does not match that of the +# logged-in user. Both the user's primary group is matched, as well as +# groups in which users are explicitly listed. +# +# TTY NAMES: Must be in the form returned by ttyname(3) less the initial +# "/dev" (e.g. tty1 or vc/1) +# +############################################################################## +# +# Disallow non-root logins on tty1 +# +#-:ALL EXCEPT root:tty1 +# +# Disallow console logins to all but a few accounts. +# +#-:ALL EXCEPT wheel shutdown sync:LOCAL +# +# Disallow non-local logins to privileged accounts (group wheel). +# +#-:wheel:ALL EXCEPT LOCAL .win.tue.nl +# +# Some accounts are not allowed to login from anywhere: +# +#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL +# +# All other accounts are allowed to login from anywhere. +# ++:ALL:LOCAL EXCEPT ttyS1 |