Skip to content

Latest commit

 

History

History
134 lines (84 loc) · 3.17 KB

geoip.conf.5.pod

File metadata and controls

134 lines (84 loc) · 3.17 KB
Raw

NAME

geoip.conf - config file for the PAM module pam_geoip

DESCRIPTION

The configuration file (by default /etc/security/geoip.conf) contains lines of four items: domain, service, action and location. For a description of these, see below.

When the service specific configuration file (/etc/security/geoip.SERVICE.conf) is used, the service column must not be present. If this file is present, the default file is not used, even if present on the command line as system_file=/file/name.

If you need to match on city names containing non ascii(7) characters (like DE, Köln or SE, Växjö), you can set the character set to use in the module's arguments: iso-8859-1 or UTF-8 (the default).

Any (sub-)item except for action or the distance matching can use a single asterisk (*) to match any value.

domain

A user name, group name (prefixed by @) or * for any user / group

service

A list of services (or *) separated by , (NO spaces allowed)

action

allow, deny or ignore. This is what will be returned to PAM if the location matches:

allow

PAM_ALLOW

deny

PAM_PERM_DENIED

ignore

PAM_IGNORE

location

GeoIP location, separated by ;. This can be:

  • a country code (uppercased, two characters), * or UNKNOWN

  • a country code like above and , and a city name (or *). When using a GeoIP country database, this part must be *, i.e. the full entry looks like DE, *.

  • a distance from a given point, e.g.

    50.0 { 51.513888, 7.465277 }

    This is not available when using a GeoIP country database.

The location part can use spaces, but note: city names must be given as in the GeoIP database, i.e. Mountain View, NOT Moutain View or MountainView.

The distance is measured in kilometers. In the above example we match a circle of 100 km diameter around Dortmund, Germany (51° 30′ 50″ north, 7° 27′ 50″ east (51.513888888889, 7.465277777777876)). Coordinates west and south are given as negative values. Values must be given in decimal.

EXAMPLE

#
# /etc/security/geoip.conf - config for pam_geoip.so
#

#<domain>   <service>  <action>  <location>
@wheel      sshd       allow     DE,* ; SE , Nybro
@wheel      sshd       allow     SE, Emmaboda; SE,Växjö
someuser    sshd       allow     50.0 { 51.513888, 7.465277 }
someuser    sshd       allow     DE,Köln
otheruser   sshd       allow     SE,Umeå; DK, København
*           *          ignore    UNKNOWN
*           *          deny      *
## END

or the same as /etc/security/geoip.sshd.conf:

#<domain>     <action>  <location>
@wheel        allow     DE,* ; SE , Nybro
@wheel        allow     SE, Emmaboda; SE,Växjö
someuser      allow     50.0 { 51.513888, 7.465277 }
someuser      allow     DE,Köln
otheruser     allow     SE,Umeå; DK, København
*             ignore    UNKNOWN
*             deny      *

SEE ALSO

pam_geoip(8), pam_access(8), pam.d(5), pam(7)

AUTHOR

Amish - GeoIP2 Hanno Hecker - Legacy GeoIP <vetinari@ankh-morp.org>