NAME¶
geoip.conf - config file for the PAM module pam_geoip
DESCRIPTION¶
The configuration file (by default
/etc/security/geoip.conf) contains
lines of four items: domain, service, action and location. For a description
of these, see below.
When the service specific configuration file (
/etc/security/geoip.SERVICE.conf) is used, the
service column
must not be present. If this file is present, the default file is not used,
even if present on the command line as "system_file=/file/name".
If you need to match on city names containing non
ascii(7) characters
(like "DE, Köln" or "SE, Växjö"), you
can set the character set to use in the module's arguments:
"iso-8859-1" or "UTF-8" (the default).
Any (sub-)item except for
action or the distance matching can use a
single asterisk ("*") to match any value.
- domain
- A user name, group name (prefixed by "@") or "*" for
any user / group
- service
- A list of services (or "*") separated by "," (NO
spaces allowed)
- action
- "allow", "deny" or "ignore". This is what
will be returned to PAM if the location matches:
- allow
- PAM_ALLOW
- deny
- PAM_PERM_DENIED
- ignore
- PAM_IGNORE
- location
- GeoIP location, separated by ";". This can be:
- •
- a country code (uppercased, two characters), "*" or
"UNKNOWN"
- •
- a country code like above and "," and a city name (or
"*"). When using a GeoIP country database, this part must be
"*", i.e. the full entry looks like "DE, *".
- •
- a distance from a given point, e.g.
50.0 { 51.513888, 7.465277 }
This is not available when using a GeoIP country database.
The location part can use spaces, but note: city names must be given as in the
GeoIP database, i.e. "Mountain View", NOT
"Moutain View" or "MountainView".
The distance is measured in kilometers. In the above example we match a circle
of 100 km diameter around Dortmund, Germany (51° 30′ 50″
north, 7° 27′ 50″ east (51.513888888889,
7.465277777777876)). Coordinates west and south are given as negative values.
Values must be given in decimal.
EXAMPLE¶
#
# /etc/security/geoip.conf - config for pam_geoip.so
#
#<domain> <service> <action> <location>
@wheel sshd allow DE,* ; SE , Nybro
@wheel sshd allow SE, Emmaboda; SE,Växjö
someuser sshd allow 50.0 { 51.513888, 7.465277 }
someuser sshd allow DE,Köln
otheruser sshd allow SE,Umeå; DK, København
* * ignore UNKNOWN
* * deny *
## END
or the same as
/etc/security/geoip.sshd.conf:
#<domain> <action> <location>
@wheel allow DE,* ; SE , Nybro
@wheel allow SE, Emmaboda; SE,Växjö
someuser allow 50.0 { 51.513888, 7.465277 }
someuser allow DE,Köln
otheruser allow SE,Umeå; DK, København
* ignore UNKNOWN
* deny *
SEE ALSO¶
pam_geoip(8),
pam_access(8),
pam.d(5),
pam(7)
AUTHOR¶
Hanno Hecker "<vetinari@ankh-morp.org>"