NAME¶
pam_geoip - GeoIP account management module for (Linux-)PAM
SYNOPSIS¶
account required pam_geoip.so [system_file=file] [geoip_db=file]
[charset=name] [action=name] [debug] [geoip6_db=file]
[use_v6=1] [v6_first=1]
DESCRIPTION¶
The
pam_geoip module provides a check if the remote logged in user is
logged in from a given location. This is similar to
pam_access(8), but
uses a GeoIP City or GeoIP Country database instead of host name / IP
matching.
The matching is done on given country and city names or on distance from a given
location. With a country database only matches of the countries are possible.
This PAM module provides the
account hook only.
If an IP is not found in the GeoIP database, the location to match against is
set to "UNKNOWN, *", no distance matching is possible for these, of
course.
NOTE:
pam just receives a hostname. When trying to find an IP for
this name the modules tries IPv4 first, then IPv6. This can be changed with
the "v6_first=1" switch.
IPv6 support is only available with geoip v1.4.8 or greater, and is has to be
enabled by using the "use_v6=1" switch.
If a file named
/etc/security/geoip.SERVICE.conf (with SERVICE being the
name of the PAM service) can be opened, this is used instead of the default
/etc/security/geoip.conf.
The first matching entry in the
geoip.conf(5) file wins, i.e. the action
given in this line will be returned to PAM:
- allow
- PAM_SUCCESS
- deny
- PAM_PERM_DENIED
- ignore
- PAM_IGNORE
OPTIONS¶
These options may be given in the PAM config file as parameters:
- system_file=/path/to/geoip.conf
- The configuration file for pam_geoip. Default is
/etc/security/geoip.conf. For the format of this file, see
geoip.conf(5).
NOTE: when a file /etc/security/geoip.SERVICE.conf file is
present, this switch is ignored (with "SERVICE" being the name
of the PAM service, e.g. "sshd").
- geoip_db=/path/to/GeoIPCity.dat
- The GeoIP database to use. Default:
/usr/local/share/GeoIP/GeoIPCity.dat. This must be a "GeoIP
City Edition" or a "GeoIP Country Edition" file, see
<http://www.maxmind.com/en/city>,
<http://www.maxmind.com/en/city> and
<http://dev.maxmind.com/geoip/geolite> for more information.
- geoip6_db=/path/to/GeoIPCityv6.dat
- The GeoIP database to use. Default:
/usr/local/share/GeoIP/GeoIPCityv6.dat. This must be a "GeoIP
City Edition IPv6" or a "GeoIP Country Edition IPv6" file,
see above for more information.
- use_v6=1
- Use IPv6 DB.
- v6_first=1
- Try resolving as IPv6 before trying as IPv4 hostname.
- charset=CHARSET
- The charset of the config file, defaults to "UTF-8". Other
possible value is "iso-8859-1" (case insensitive).
- action=ACTION
- Sets the default action if no location matches. Default is
"deny". Other possible values are "allow" or
"ignore". For the meanigns of these, see above.
- debug
- Adds some debugging output to syslog.
FILES¶
- /etc/security/geoip.conf
- The default configuration file for this module
- /etc/security/geoip.SERVICE.conf
- The default configuration file for PAM service SERVICE
- /etc/pam.d/*
- The PAM(7) configuration files
SEE ALSO¶
geoip.conf(5),
pam_access(8),
pam.d(5),
pam(7)
AUTHOR¶
Hanno Hecker "<vetinari@ankh-morp.org>"