File: geoip.conf.5.pod

package info (click to toggle)
pam-geoip 1.1-4
  • links: PTS
  • area: main
  • in suites: buster
  • size: 160 kB
  • ctags: 70
  • sloc: ansic: 812; makefile: 76; sh: 18
file content (133 lines) | stat: -rw-r--r-- 3,286 bytes parent folder | download | duplicates (3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

=encoding utf8

=cut

$Id: geoip.conf.5.pod 45 2013-02-16 10:19:20Z vetinari $

=head1 NAME

geoip.conf - config file for the PAM module pam_geoip

=head1 DESCRIPTION

The configuration file (by default F</etc/security/geoip.conf>) contains lines
of four items: domain, service, action and location. For a description of
these, see below. 

When the service specific configuration file 
(F</etc/security/geoip.SERVICE.conf>) is used, the I<service> column must 
not be present. If this file is present, the default file is not used, even
if present on the command line as C<system_file=/file/name>.

If you need to match on city names containing non L<ascii(7)> characters
(like C<DE, Köln> or C<SE, Växjö>), you can set the character set to use
in the module's arguments: C<iso-8859-1> or C<UTF-8> (the default). 

Any (sub-)item except for I<action> or the distance matching can use a single
asterisk (C<*>) to match any value.

=over 4

=item domain

A user name, group name (prefixed by C<@>) or C<*> for any user / group

=item service 

A list of services (or C<*>) separated by C<,> (NO spaces allowed)

=item action

C<allow>, C<deny> or C<ignore>. This is what will be returned to PAM if the
location matches: 

=over 2

=item allow 

I<PAM_ALLOW>

=item deny

I<PAM_PERM_DENIED>

=item ignore

I<PAM_IGNORE>

=back

=item location

GeoIP location, separated by C<;>. This can be:

=over 2

=item *

a country code (uppercased, two characters), C<*> or C<UNKNOWN>

=item *

a country code like above and C<,> and a city name (or C<*>). When using a
GeoIP country database, this part must be C<*>, i.e. the full entry looks
like C<DE, *>.

=item *

a distance from a given point, e.g. 
  
 50.0 { 51.513888, 7.465277 }

This is not available when using a GeoIP country database.

=back

=back

The location part can use spaces, but note: city names must be given as in 
the GeoIP database, i.e. S<C<Mountain View>>, NOT S<C<Moutain  View>> or 
C<MountainView>.

The distance is measured in kilometers. In the above example we match
a circle of 100 km diameter around Dortmund, Germany (51° 30′ 50″ north, 
7° 27′ 50″ east (51.513888888889, 7.465277777777876)). Coordinates west
and south are given as negative values. Values must be given in decimal.

=head1 EXAMPLE

 #
 # /etc/security/geoip.conf - config for pam_geoip.so
 #
 
 #<domain>   <service>  <action>  <location>
 @wheel      sshd       allow     DE,* ; SE , Nybro 
 @wheel      sshd       allow     SE, Emmaboda; SE,Växjö
 someuser    sshd       allow     50.0 { 51.513888, 7.465277 }
 someuser    sshd       allow     DE,Köln
 otheruser   sshd       allow     SE,Umeå; DK, København
 *           *          ignore    UNKNOWN
 *           *          deny      *
 ## END

or the same as F</etc/security/geoip.sshd.conf>:

 #<domain>     <action>  <location>
 @wheel        allow     DE,* ; SE , Nybro 
 @wheel        allow     SE, Emmaboda; SE,Växjö
 someuser      allow     50.0 { 51.513888, 7.465277 }
 someuser      allow     DE,Köln
 otheruser     allow     SE,Umeå; DK, København
 *             ignore    UNKNOWN
 *             deny      *

=head1 SEE ALSO

L<pam_geoip(8)>, L<pam_access(8)>, L<pam.d(5)>, L<pam(7)>

=head1 AUTHOR

Hanno Hecker C<E<lt>vetinari@ankh-morp.orgE<gt>>

=cut