====== Group Login Restriction ======

====== What is it? ======

When provisioning a machine (bare-metal or virtual) it may often be useful to only allow a certain group of users to access this machine.  Since all our linux systems have a unified userbase via AD, we are able to identify a group of users through regular group management.  

There are a few methods that we make use of achieve these restrictions.


===== access.conf =====

/etc/security/access.conf

This is the Login access control table.  In this file, you can specify users and groups that are allowed access to the machine in question.
The following examples assume are all done within ''access.conf''

Keep in mind that this file is parsed from top to bottom, so the **ordering of your directives DO MATTER**!

===== Giving access to a user/group =====

''+ : acmadmin : ALL''
''+ : (adminGroup) : ALL''

In this example, we are giving access (''+'') to the username ''acmadmin'' on ''ALL'' access points

===== Deny access to everyone else =====

''- : ALL : ALL''

This will disallow login by all users from all sources.  **This should generally be done as the very last directive in the file.**

In this example, we are giving access (''+'') to the username ''acmadmin'' on ''ALL'' access points


<file|/etc/security/access.conf>
+:root:ALL
+:acmadmin:ALL
+:(wheel):ALL
+:(AcmLanAdmins):ALL
-:ALL:ALL
</file>

====== pam ======
<code>auth	   required	pam_access.so</code>
add to /etc/pam.d/system-login