The Login Access Control Table is a file included in the Linux kernel that gives administrators the ability to allow or deny logins based on the user, group, or host associated with the login attempt.
The Login Access Control Table is located at
access.conf is a file filled with only comments. To allow or deny logins you only need to add an uncommented line of the form
Let’s take a brief look at each section.
The permission section is very simple. To create an allow rule, the permission section should be set to a
+ and deny rules should be set to a
The user field is a list of usernames that the rule will affect. If you wanted to apply a rule to the user
root, you would add
root to the user section.
Two common options for the user field are
NONE. These will (intuitively) apply your access control rule to all or none of the users.
The user field also supports negative statements by using the
EXCEPT keyword. If you wanted to allow logins from all users except
bob123 you could add
ALL EXCEPT bob123. This statement will apply the access control rule to everyone except
The user section also supports groups with a
@. If you wanted to apply a rule to all users with a group of
admin you can add
@admin to the user field of your rule.
The host field allows you to control from where users may log in.
The host field supports several options that allow you to control local and network logins.
LOCAL keyword would apply a rule to users who are logging in at the physical terminal of the machine.
Meanwhile, you can also specify which tty a user may log in with by adding
tty2, etc. to the host field.
The host field accepts IP addresses too. If you wanted to only login from
10.1.1.123 you can add that to the host field. You can also specify IP address ranges by leaving off the last octet.
10.1.1. will allow logins from any IP address that starts with
10.1.1. and ends with
That’s the basics of all the options you have available to you when creating access control rules. There are some options I didn’t cover, but like always, they are available in the Linux man pages.
Let’s look at some examples of how we might use this command.
Deny root logins:
Deny root logins via the network:
-:root:ALL EXCEPT LOCAL
Allow a service account to log in only from a single IP address:
Allow anyone but root the ability to log in anywhere on the network:
+:ALL EXCEPT root: 10.1.1.
A word on order
A word of caution before you embark on your access control adventures. The order of the rules matters. It will apply the first rule that matches.
will allow local root logins because the allow rule matches prior to the deny rule.
Use your newfound knowledge with caution (a.k.a don’t lock yourself out).
If you enjoyed this post, follow me on Twitter for more!