24.2.1 Configuring Local Access

You can use the User Manager GUI (system-config-users) to add or delete users and groups and to modify settings such as passwords, home directories, login shells, and group membership. Alternatively, you can use commands such as useradd and groupadd. The User Manager GUI is available if you install the system-config-users package.

To enable local access control, select the Enable local access control check box on the Advanced Options tab of the Authentication Configuration GUI (system-config-authentication). The system can then read the /etc/security/access.conf file for local user authorization rules that specify login combinations that the system accepts or refuses.

Figure 24.2 shows the Authentication Configuration GUI with the Advanced Options tab selected.

Figure 24.2 Authentication Configuration Advanced Options

The figure shows the Authentication Configuration GUI with the Advanced Options tab selected.


Alternatively, use the following command:

# authconfig --enablepamaccess --update 

Each entry in /etc/security/access.conf takes the form:

permission : users : origins [ except 

where:

permission

Set to + or - to grant or deny login respectively.

users

Specifies a space-separated list of user or group names or ALL for any user or group. Enclose group names in parentheses to distinguish them from user names. You can use the EXCEPT operator to exclude a list of users from the rule.

origins

Specifies a space-separated list of host names, fully qualified domain names, network addresses, terminal device names, ALL, or NONE. You can use the EXCEPT operator to exclude a list of origins from the rule.

For example, the following rule denies login access by anyone except root from the network 192.168.2.0/24:

- : ALL except root : 192.168.2.0/24

For more information, see the access.conf(5) manual page and Chapter 25, Local Account Configuration.