The example line in /etc/security/access.conf that disallows console access for any users except those in the wheel or root group does not work as is. #-:ALL EXCEPT wheel shutdown sync:console should instead be #-:ALL EXCEPT wheel shutdown sync:LOCAL Minor bug and it won't affect anyone unless they try to follow the example in which case things won't work as is. A comment in access.conf stating that the following line needs to be added to /etc/pam.d/login might be nice as well. # If you want to use access.conf make sure to add the following line # to /etc/pam.d/login # # account required /lib/security/pam_access.so Also a comment in /etc/security/limits.conf to the same effect would be nice. # If you want to use limits.conf make sure to add the following line # to /etc/pam.d/login (and telnet and sshd if you use those services) # # session required /lib/security/pam_limits.so
The example will be fixed in the upcoming errata. The comments won't be added, though, because we may start using pam_access for networked services by default in the next release, and pam_limits is already used. Thanks!