pam_geoip - GeoIP account management module for (Linux-)PAM
account required pam_geoip.so [system_file=file] [geoip_db=file] [charset=name] [action=name] [debug] [geoip6_db=file] [use_v6=1] [v6_first=1]
The pam_geoip module provides a check if the remote logged in user is logged in from a given location. This is similar to pam_access(8), but uses a GeoIP City or GeoIP Country database instead of host name / IP matching.
The matching is done on given country and city names or on distance from a given location. With a country database only matches of the countries are possible.
This PAM module provides the account hook only.
If an IP is not found in the GeoIP database, the location to match against is set to
UNKNOWN, *, no distance matching is possible for these, of course.
NOTE: pam just receives a hostname. When trying to find an IP for this name the modules tries IPv4 first, then IPv6. This can be changed with the
IPv6 support is only available with geoip v1.4.8 or greater, and is has to be enabled by using the
If a file named /etc/security/geoip.SERVICE.conf (with SERVICE being the name of the PAM service) can be opened, this is used instead of the default /etc/security/geoip.conf.
The first matching entry in the geoip.conf(5) file wins, i.e. the action given in this line will be returned to PAM:
These options may be given in the PAM config file as parameters:
The configuration file for pam_geoip. Default is /etc/security/geoip.conf. For the format of this file, see geoip.conf(5).
NOTE: when a file /etc/security/geoip.SERVICE.conf file is present, this switch is ignored (with
SERVICEbeing the name of the PAM service, e.g.
The GeoIP database to use. Default: /usr/local/share/GeoIP/GeoIPCity.dat. This must be a
GeoIP City Editionor a
GeoIP Country Editionfile, see http://www.maxmind.com/en/city, http://www.maxmind.com/en/city and http://dev.maxmind.com/geoip/geolite for more information.
The GeoIP database to use. Default: /usr/local/share/GeoIP/GeoIPCityv6.dat. This must be a
GeoIP City Edition IPv6or a
GeoIP Country Edition IPv6file, see above for more information.
Use IPv6 DB.
Try resolving as IPv6 before trying as IPv4 hostname.
The charset of the config file, defaults to
UTF-8. Other possible value is
Sets the default action if no location matches. Default is
deny. Other possible values are
ignore. For the meanigns of these, see above.
Adds some debugging output to syslog.
The default configuration file for this module
The default configuration file for PAM service SERVICE
The PAM(7) configuration files