How to use the Linux Access Control Table (Access.conf)

The Login Access Control Table is a file included in the Linux kernel that gives administrators the ability to allow or deny logins based on the user, group, or host associated with the login attempt.

The Login Access Control Table is located at /etc/security/access.conf.

Understanding access.conf

By default access.conf is a file filled with only comments. To allow or deny logins you only need to add an uncommented line of the form permission:user:host.

Let’s take a brief look at each section.

Permission

The permission section is very simple. To create an allow rule the permission section should be set to a + and deny rules should be set to a -.

User

The user field is a list of usernames that the rule will affect. If you wanted to apply a rule to the user root you would add root to the user section.

Two common options for the user field are ALL and NONE. These will (quite intuitively) apply your access control rule to all or none of the users.

The user field also supports negative statements by using the EXCEPT keyword. If you wanted to allow logins from all users except bob123 you could add ALL EXCEPT bob123. This statement will apply the access control rule to everyone except bob123.

The user section also supports groups with a @. If you wanted to apply a rule to all users with a group of admin you can add @admin to the user field of your rule.

Host

The host field allows you to control from where users are allowed to log in.

The host field supports several options that allow you to control local and network logins.

The LOCAL keyword would apply a rule to users who are logging in at the physical terminal of the machine.

Meanwhile, you can also specify which tty a user is allowed to log in with by adding tty1, tty2, etc. to the host field.

The host field accepts IP addresses too. If you wanted to only login from 10.1.1.123 you can add that to the host field. IP address ranges can also be specified by leaving off the last octet. 10.1.1. will allow logins from any IP address that starts with 10.1.1. and ends with [0-255].

That’s pretty much the basics of all the options you have available to you when creating access control rules. There are some options I didn’t cover, but like always, the are available in the Linux man pages.

Examples

Let’s look at some examples of how we might use this command.

Deny root logins:

-:root:ALL

Deny root logins via the network:

-:root:ALL EXCEPT LOCAL

Allow a service account to log in only from a single IP address:

+:service_account:10.1.1.123

Allow anyone but root the ability to log in anywhere on the network:

+:ALL EXCEPT root: 10.1.1.

A word on order

A word of caution before you embark on your access control adventures. The order of the rules matters. The first rule that matches will be applied.

For example:

+:root:LOCAL

-:root:ALL

will allow local root logins because the allow rule matches prior to the deny rule.

Use your newfound knowledge with caution (a.k.a don’t lock yourself out).

Leave a Reply