'\" t
.\"     Title: pam_abl
.\"    Author: Chris Tasma
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\"      Date: 07/29/2019
.\"    Manual: User Commands
.\"    Source: GNU
.\"  Language: English
.\"
.TH "PAM_ABL" "1" "07/29/2019" "GNU" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
pam_abl \- query or purge the databases used by the pam_abl module\&.
.SH "SYNOPSIS"
.sp
pam_abl [OPTION] [CONFIG]
.SH "DESCRIPTION"
.sp
Provides a non\-pam interface to the infomration stored in the pam_abl module databases\&. CONFIG is the name of the pam_abl config file (default: /etc/security/pam_abl\&.conf)\&. The config file is read to discover the names of the pam_abl databases, the rules that control purging of old data from them and commands to run when a user or host switches state\&.
.SH "OPTIONS"
.SS "MAINTENANCE"
.PP
\fB\-h, \-\-help\fR
.RS 4
See this message\&.
.RE
.PP
\fB\-d, \-\-debugcommand\fR
.RS 4
Print the block/clear commands split in arguments\&.
.RE
.PP
\fB\-p, \-\-purge\fR
.RS 4
Purge databases according to purge rules in config\&.
.RE
.PP
\fB\-r, \-\-relative\fR
.RS 4
Display times relative to now\&.
.RE
.PP
\fB\-v, \-\-verbose\fR
.RS 4
Verbose output\&.
.RE
.SS "NON\-PAM INTERACTION"
.PP
\fB\-f, \-\-fail\fR
.RS 4
Fail user or host\&.
.RE
.PP
\fB\-w, \-\-whitelist\fR
.RS 4
Perform whitelisting (remove from blacklist, does not provide immunity)\&.
.RE
.PP
\fB\-c, \-\-check\fR
.RS 4
Check status\&. Returns non\-zero if currently blocked Prints
\fIname: status\fR
if verboseness is specified\&. If more than one host or user is given, checks only the first host/user pair\&.
.RE
.PP
\fB\-u, \-\-update\fR
.RS 4
Update the state of all users/hosts in the db\&. This will also cause the appropriate scripts to be called\&.
.RE
.PP
\fB\-s, \-\-service\fR
.RS 4
Operate in context of specified service\&. Defaults to
\fInone\fR\&.
.RE
.PP
\fB\-U, \-\-user\fR
.RS 4
Operate on user (wildcards are ok for whitelisting)\&.
.RE
.PP
\fB\-H, \-\-host\fR
.RS 4
Operate on host (wildcards are ok for whitelisting)\&.
.RE
.PP
\fB\-R, \-\-reason\fR
.RS 4
Only used when \-f is provided (defaults to "AUTH")\&. Specifies why the authentication failed\&. Possible values are USER, HOST, BOTH, AUTH
.RE
.sp
If you specified commands to run in your configuration, those commands will try to run if the host or user switches state (blocked <→ clear) since the last time it was checked\&. The command will only be able to run, however, if you supply enough information to fill in the substitutions in the command\&. For instance, if your host_clr_command uses the %s parameter, you will need to specify the service with \-s in order for the command to actually run\&.
.SH "EXAMPLES"
.sp
Obtain a list of failed hosts and users:
.sp
$ pam_abl
.sp
Obtain a full list of failures listing times relative to now:
.sp
$ pam_abl \-rv $ pam_abl \-\-relative \-\-verbose
.sp
Purge old data:
.sp
$ pam_abl \-p $ pam_abl \-\-purge
.sp
Unblock all example\&.com, somewhere\&.com hosts:
.sp
$ pam_abl \-w \-H *\&.example\&.com \-H \e*\&.somewhere\&.com
.sp
Fail the host badguy\&.com and the user joe because the authentication failed:
.sp
$ pam_abl \-f \-H badguy\&.com \-U joe \-R AUTH
.sp
Check whether joe is currently allowed to use your neato service from somehost, running the necessary commands if he switches state:
.sp
$ pam_abl \-c \-U joe \-H somehost \-s neato
.sp
Because the user/host state is only updated when an attempt is made, you can manually force pam\-abl to update the states and call the correct scripts:
.sp
$ pam_abl \-u
.SH "AUTHORS"
.sp
Lode Mertens <pam\-abl@danta\&.be>
.sp
Andy Armstrong <andy@hexten\&.net>
.sp
Chris Tasma <pam\-abl@deksai\&.com>
.SH "REPORTING BUGS"
.sp
Report bugs to <pam\-abl@deksai\&.com> or using the bugtracker on sourceforge\&.
.SH "SEE ALSO"
.sp
pam_abl\&.conf(5), pam_abl(8)
.SH "AUTHOR"
.PP
\fBChris Tasma\fR
.RS 4
Author.
.RE