Home Linux How to use the Linux Access Control Table – /etc/security/access.conf

How to use the Linux Access Control Table – /etc/security/access.conf

by Sean Ziegler

The Login Access Control Table is a file included in the Linux kernel that gives administrators the ability to allow or deny logins based on the user, group, or host associated with the login attempt.

The Login Access Control Table is located at /etc/security/access.conf.

Understanding access.conf

By default, access.conf is a file filled with only comments. To allow or deny logins you only need to add an uncommented line of the form permission:user:host.

Let’s take a brief look at each section.


The permission section is very simple. To create an allow rule, the permission section should be set to a + and deny rules should be set to a -.


The user field is a list of usernames that the rule will affect. If you wanted to apply a rule to the user root, you would add root to the user section.

Two common options for the user field are ALL and NONE. These will (intuitively) apply your access control rule to all or none of the users.

The user field also supports negative statements by using the EXCEPT keyword. If you wanted to allow logins from all users except bob123 you could add ALL EXCEPT bob123. This statement will apply the access control rule to everyone except bob123.

The user section also supports groups with a @. If you wanted to apply a rule to all users with a group of admin you can add @admin to the user field of your rule.


The host field allows you to control from where users may log in.

The host field supports several options that allow you to control local and network logins.

The LOCAL keyword would apply a rule to users who are logging in at the physical terminal of the machine.

Meanwhile, you can also specify which tty a user may log in with by adding tty1, tty2, etc. to the host field.

The host field accepts IP addresses too. If you wanted to only login from you can add that to the host field. You can also specify IP address ranges by leaving off the last octet. 10.1.1. will allow logins from any IP address that starts with 10.1.1. and ends with [0-255].

That’s the basics of all the options you have available to you when creating access control rules. There are some options I didn’t cover, but like always, they are available in the Linux man pages.


Let’s look at some examples of how we might use this command.

Deny root logins:


Deny root logins via the network:


Allow a service account to log in only from a single IP address:


Allow anyone but root the ability to log in anywhere on the network:

+:ALL EXCEPT root: 10.1.1.

A word on order

A word of caution before you embark on your access control adventures. The order of the rules matters. It will apply the first rule that matches.

For example:



will allow local root logins because the allow rule matches prior to the deny rule.


Use your newfound knowledge with caution (a.k.a don’t lock yourself out).

You may also like

1 comment

Leave a comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept