.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" ======================================================================== .\" .IX Title "geoip.conf 5" .TH geoip.conf 5 "2020-11-19" " " " " .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" geoip.conf \- config file for the PAM module pam_geoip .SH "DESCRIPTION" .IX Header "DESCRIPTION" The configuration file (by default \fI/etc/security/geoip.conf\fR) contains lines of four items: domain, service, action and location. For a description of these, see below. .PP When the service specific configuration file (\fI/etc/security/geoip.SERVICE.conf\fR) is used, the \fIservice\fR column must not be present. If this file is present, the default file is not used, even if present on the command line as \f(CW\*(C`system_file=/file/name\*(C'\fR. .PP If you need to match on city names containing non \fBascii\fR\|(7) characters (like \f(CW\*(C`DE, Köln\*(C'\fR or \f(CW\*(C`SE, Växjö\*(C'\fR), you can set the character set to use in the module's arguments: \f(CW\*(C`iso\-8859\-1\*(C'\fR or \f(CW\*(C`UTF\-8\*(C'\fR (the default). .PP Any (sub\-)item except for \fIaction\fR or the distance matching can use a single asterisk (\f(CW\*(C`*\*(C'\fR) to match any value. .IP "domain" 4 .IX Item "domain" A user name, group name (prefixed by \f(CW\*(C`@\*(C'\fR) or \f(CW\*(C`*\*(C'\fR for any user / group .IP "service" 4 .IX Item "service" A list of services (or \f(CW\*(C`*\*(C'\fR) separated by \f(CW\*(C`,\*(C'\fR (\s-1NO\s0 spaces allowed) .IP "action" 4 .IX Item "action" \&\f(CW\*(C`allow\*(C'\fR, \f(CW\*(C`deny\*(C'\fR or \f(CW\*(C`ignore\*(C'\fR. This is what will be returned to \s-1PAM\s0 if the location matches: .RS 4 .IP "allow" 2 .IX Item "allow" \&\fI\s-1PAM_ALLOW\s0\fR .IP "deny" 2 .IX Item "deny" \&\fI\s-1PAM_PERM_DENIED\s0\fR .IP "ignore" 2 .IX Item "ignore" \&\fI\s-1PAM_IGNORE\s0\fR .RE .RS 4 .RE .IP "location" 4 .IX Item "location" GeoIP location, separated by \f(CW\*(C`;\*(C'\fR. This can be: .RS 4 .IP "\(bu" 2 a country code (uppercased, two characters), \f(CW\*(C`*\*(C'\fR or \f(CW\*(C`UNKNOWN\*(C'\fR .IP "\(bu" 2 a country code like above and \f(CW\*(C`,\*(C'\fR and a city name (or \f(CW\*(C`*\*(C'\fR). When using a GeoIP country database, this part must be \f(CW\*(C`*\*(C'\fR, i.e. the full entry looks like \f(CW\*(C`DE, *\*(C'\fR. .IP "\(bu" 2 a distance from a given point, e.g. .Sp .Vb 1 \& 50.0 { 51.513888, 7.465277 } .Ve .Sp This is not available when using a GeoIP country database. .RE .RS 4 .RE .PP The location part can use spaces, but note: city names must be given as in the GeoIP database, i.e. \f(CW\*(C`Mountain View\*(C'\fR, \s-1NOT\s0 \f(CW\*(C`Moutain  View\*(C'\fR or \&\f(CW\*(C`MountainView\*(C'\fR. .PP The distance is measured in kilometers. In the above example we match a circle of 100 km diameter around Dortmund, Germany (51° 30′ 50″ north, 7° 27′ 50″ east (51.513888888889, 7.465277777777876)). Coordinates west and south are given as negative values. Values must be given in decimal. .SH "EXAMPLE" .IX Header "EXAMPLE" .Vb 3 \& # \& # /etc/security/geoip.conf \- config for pam_geoip.so \& # \& \& # \& @wheel sshd allow DE,* ; SE , Nybro \& @wheel sshd allow SE, Emmaboda; SE,Växjö \& someuser sshd allow 50.0 { 51.513888, 7.465277 } \& someuser sshd allow DE,Köln \& otheruser sshd allow SE,Umeå; DK, København \& * * ignore UNKNOWN \& * * deny * \& ## END .Ve .PP or the same as \fI/etc/security/geoip.sshd.conf\fR: .PP .Vb 8 \& # \& @wheel allow DE,* ; SE , Nybro \& @wheel allow SE, Emmaboda; SE,Växjö \& someuser allow 50.0 { 51.513888, 7.465277 } \& someuser allow DE,Köln \& otheruser allow SE,Umeå; DK, København \& * ignore UNKNOWN \& * deny * .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBpam_geoip\fR\|(8), \fBpam_access\fR\|(8), \fBpam.d\fR\|(5), \fBpam\fR\|(7) .SH "AUTHOR" .IX Header "AUTHOR" Amish \- GeoIP2 Hanno Hecker \- Legacy GeoIP \f(CW\*(C`\*(C'\fR