.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} .el \{\ . de IX .. .\} .\" ======================================================================== .\" .IX Title "pam_geoip 8" .TH pam_geoip 8 "2012-12-28" " " " " .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" pam_geoip \- GeoIP account management module for (Linux\-)PAM .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 3 \& account required pam_geoip.so [system_file=file] [geoip_db=file] \& [charset=name] [action=name] [debug] [geoip6_db=file] \& [use_v6=1] [v6_first=1] .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBpam_geoip\fR module provides a check if the remote logged in user is logged in from a given location. This is similar to \fIpam_access\fR\|(8), but uses a GeoIP City or GeoIP Country database instead of host name / \s-1IP\s0 matching. .PP The matching is done on given country and city names or on distance from a given location. With a country database only matches of the countries are possible. .PP This \s-1PAM\s0 module provides the \fIaccount\fR hook only. .PP If an \s-1IP\s0 is not found in the GeoIP database, the location to match against is set to \f(CW\*(C`UNKNOWN, *\*(C'\fR, no distance matching is possible for these, of course. .PP \&\fB\s-1NOTE\s0\fR: \fIpam\fR just receives a hostname. When trying to find an \s-1IP\s0 for this name the modules tries IPv4 first, then IPv6. This can be changed with the \f(CW\*(C`v6_first=1\*(C'\fR switch. .PP IPv6 support is only available with geoip v1.4.8 or greater, and is has to be enabled by using the \f(CW\*(C`use_v6=1\*(C'\fR switch. .PP If a file named \fI/etc/security/geoip.SERVICE.conf\fR (with \s-1SERVICE\s0 being the name of the \s-1PAM\s0 service) can be opened, this is used instead of the default \&\fI/etc/security/geoip.conf\fR. .PP The first matching entry in the \fIgeoip.conf\fR\|(5) file wins, i.e. the action given in this line will be returned to \s-1PAM:\s0 .IP "allow" 4 .IX Item "allow" \&\s-1PAM_SUCCESS\s0 .IP "deny" 4 .IX Item "deny" \&\s-1PAM_PERM_DENIED\s0 .IP "ignore" 4 .IX Item "ignore" \&\s-1PAM_IGNORE\s0 .SH "OPTIONS" .IX Header "OPTIONS" These options may be given in the \s-1PAM\s0 config file as parameters: .IP "system_file=/path/to/geoip.conf" 4 .IX Item "system_file=/path/to/geoip.conf" The configuration file for \fBpam_geoip\fR. Default is \&\fI/etc/security/geoip.conf\fR. For the format of this file, see \fIgeoip.conf\fR\|(5). .Sp \&\fB\s-1NOTE\s0\fR: when a file \fI/etc/security/geoip.SERVICE.conf\fR file is present, this switch is ignored (with \f(CW\*(C`SERVICE\*(C'\fR being the name of the \s-1PAM\s0 service, e.g. \&\f(CW\*(C`sshd\*(C'\fR). .IP "geoip_db=/path/to/GeoIPCity.dat" 4 .IX Item "geoip_db=/path/to/GeoIPCity.dat" The GeoIP database to use. Default: \fI/usr/local/share/GeoIP/GeoIPCity.dat\fR. This must be a \f(CW\*(C`GeoIP City Edition\*(C'\fR or a \f(CW\*(C`GeoIP Country Edition\*(C'\fR file, see , and for more information. .IP "geoip6_db=/path/to/GeoIPCityv6.dat" 4 .IX Item "geoip6_db=/path/to/GeoIPCityv6.dat" The GeoIP database to use. Default: \fI/usr/local/share/GeoIP/GeoIPCityv6.dat\fR. This must be a \f(CW\*(C`GeoIP City Edition IPv6\*(C'\fR or a \f(CW\*(C`GeoIP Country Edition IPv6\*(C'\fR file, see above for more information. .IP "use_v6=1" 4 .IX Item "use_v6=1" Use IPv6 \s-1DB\s0. .IP "v6_first=1" 4 .IX Item "v6_first=1" Try resolving as IPv6 before trying as IPv4 hostname. .IP "charset=CHARSET" 4 .IX Item "charset=CHARSET" The charset of the config file, defaults to \f(CW\*(C`UTF\-8\*(C'\fR. Other possible value is \f(CW\*(C`iso\-8859\-1\*(C'\fR (case insensitive). .IP "action=ACTION" 4 .IX Item "action=ACTION" Sets the default action if no location matches. Default is \f(CW\*(C`deny\*(C'\fR. Other possible values are \f(CW\*(C`allow\*(C'\fR or \f(CW\*(C`ignore\*(C'\fR. For the meanigns of these, see above. .IP "debug" 4 .IX Item "debug" Adds some debugging output to syslog. .SH "FILES" .IX Header "FILES" .IP "/etc/security/geoip.conf" 4 .IX Item "/etc/security/geoip.conf" The default configuration file for this module .IP "/etc/security/geoip.SERVICE.conf" 4 .IX Item "/etc/security/geoip.SERVICE.conf" The default configuration file for \s-1PAM\s0 service \s-1SERVICE\s0 .IP "/etc/pam.d/*" 4 .IX Item "/etc/pam.d/*" The \s-1\fIPAM\s0\fR\|(7) configuration files .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIgeoip.conf\fR\|(5), \fIpam_access\fR\|(8), \fIpam.d\fR\|(5), \fIpam\fR\|(7) .SH "AUTHOR" .IX Header "AUTHOR" Hanno Hecker \f(CW\*(C`\*(C'\fR