Login's Access restrictions - wrong examples in the config file?
 

I have recently been playing with Slackware's 14.0 RC4 /etc/login.access file, which is designed to determinate who can log on where. The default file has lots of (commented) examples.

The examples suggest that the following line:
should disable console logins for the user "myuser", but it does not happen. I can still logon with "myuser" in the ttys after loading this rule.

Is it that the rule is obsolete, or just that I have misunderstood it? I have found BSD documentation supporting this syntax, but it seemed outdated...

The config file works as expected when the ttys are defined one by one:

-:myuser:/dev/tty1 /dev/tty2

You're probably encountering the difference between the Linux concept of the "console" and the tty devices.

Sorry, I'm at work and don't have time to go into more detail, but googling "linux console device" and/or "linux console tty" should give you a start.

Other option
 

A command to lock an user account is

For unlock:

That's the first thing I thought -I mean, do the "console" word include the local ttys? The information I gathered from the Internet before posting made me believe that the "console" location should have sufficed to lock the access of "myuser" from the tty of a regular desktop computer. It's evident that I was wrong.

eternauta2001, nice suggestion, but I don't want to lock the account. I would rather set a fake shell for the user (in fact, you can type 'echo "You are a looser. Fsck off!" > /etc/nologin' and it will be more fun :-D ) My objective here is to determinate how does login.access manage the "console" location and why it does not prevent people from login locally.

Try the boot option "console=/dev/tty1" after setting up -:myuser:console That should set the linux console concept to /dev/tty1, and login attempts there should then run afoul of your rule. For extra fun you ought to be able to log in on /dev/tty2.

The console is a separate concept, and can be local, remote, serial, etc.

Nice try, but it didn't work :-) I just passed console=/dev/tty1 to Lilo and logged in as myuser in tty1, disobeying the rule.

Is there a way to set the "console" variable with a live kernel running?

You're beyond me with that one. Sorry.

# The third field should be a list of one or more tty names

it does not mention console

john

But the examples given in the config file do.

so what is it
you say you are logging in from tty
but you are trying to restrict console

WTF

It is just that I supposed that "console" would include the virtual consoles, when it seems it doesn't :-)

The correct console= usage is just the device name not the full path

So "console=tty1" would work

Now for some weirdness

According to the docs on the kernel console should default to tty0 which should be the first tty (ALT+F1) however testing here shows that the first tty is actually tty1 (ALT+F1)

Now back to what you want to achieve according to the man page there are 2 more options you can use on that line ALL or LOCAL

So this should produce the result that you seem to be looking for :-
-:myuser:LOCAL

Assuming that the man page is any good.