geoip.conf - config file for the PAM module pam_geoip
The configuration file (by default /etc/security/geoip.conf) contains lines of four items: domain, service, action and location. For a description of these, see below.
When the service specific configuration file (/etc/security/geoip.SERVICE.conf) is used, the service column must not be present. If this file is present, the default file is not used, even if present on the command line as system_file=/file/name
.
If you need to match on city names containing non ascii(7) characters (like DE, Köln
or SE, Växjö
), you can set the character set to use in the module's arguments: iso-8859-1
or UTF-8
(the default).
Any (sub-)item except for action or the distance matching can use a single asterisk (*
) to match any value.
- domain
-
A user name, group name (prefixed by
@
) or*
for any user / group - service
-
A list of services (or
*
) separated by,
(NO spaces allowed) - action
-
allow
,deny
orignore
. This is what will be returned to PAM if the location matches:- allow
-
PAM_ALLOW
- deny
-
PAM_PERM_DENIED
- ignore
-
PAM_IGNORE
- location
-
GeoIP location, separated by
;
. This can be:a country code (uppercased, two characters),
*
orUNKNOWN
a country code like above and
,
and a city name (or*
). When using a GeoIP country database, this part must be*
, i.e. the full entry looks likeDE, *
.a distance from a given point, e.g.
50.0 { 51.513888, 7.465277 }
This is not available when using a GeoIP country database.
The location part can use spaces, but note: city names must be given as in the GeoIP database, i.e. Mountain View
, NOT Moutain View
or MountainView
.
The distance is measured in kilometers. In the above example we match a circle of 100 km diameter around Dortmund, Germany (51° 30′ 50″ north, 7° 27′ 50″ east (51.513888888889, 7.465277777777876)). Coordinates west and south are given as negative values. Values must be given in decimal.
#
# /etc/security/geoip.conf - config for pam_geoip.so
#
#<domain> <service> <action> <location>
@wheel sshd allow DE,* ; SE , Nybro
@wheel sshd allow SE, Emmaboda; SE,Växjö
someuser sshd allow 50.0 { 51.513888, 7.465277 }
someuser sshd allow DE,Köln
otheruser sshd allow SE,Umeå; DK, København
* * ignore UNKNOWN
* * deny *
## END
or the same as /etc/security/geoip.sshd.conf:
#<domain> <action> <location>
@wheel allow DE,* ; SE , Nybro
@wheel allow SE, Emmaboda; SE,Växjö
someuser allow 50.0 { 51.513888, 7.465277 }
someuser allow DE,Köln
otheruser allow SE,Umeå; DK, København
* ignore UNKNOWN
* deny *
pam_geoip(8), pam_access(8), pam.d(5), pam(7)
Amish - GeoIP2 Hanno Hecker - Legacy GeoIP <vetinari@ankh-morp.org>