Vetinari's $HOME

NAME

pam_geoip - GeoIP account management module for (Linux-)PAM

SYNOPSIS

 account required pam_geoip.so [system_file=file] [geoip_db=file]
        [charset=name] [action=name] [debug] [geoip6_db=file]
        [use_v6=1] [v6_first=1]

DESCRIPTION

The pam_geoip module provides a check if the remote logged in user is logged in from a given location. This is similar to pam_access(8), but uses a GeoIP City or GeoIP Country database instead of host name / IP matching.

The matching is done on given country and city names or on distance from a given location. With a country database only matches of the countries are possible.

This PAM module provides the account hook only.

If an IP is not found in the GeoIP database, the location to match against is set to UNKNOWN, *, no distance matching is possible for these, of course.

NOTE: pam just receives a hostname. When trying to find an IP for this name the modules tries IPv4 first, then IPv6. This can be changed with the v6_first=1 switch.

IPv6 support is only available with geoip v1.4.8 or greater, and is has to be enabled by using the use_v6=1 switch.

If a file named /etc/security/geoip.SERVICE.conf (with SERVICE being the name of the PAM service) can be opened, this is used instead of the default /etc/security/geoip.conf.

The first matching entry in the geoip.conf(5) file wins, i.e. the action given in this line will be returned to PAM:

allow

PAM_SUCCESS

deny

PAM_PERM_DENIED

ignore

PAM_IGNORE

OPTIONS

These options may be given in the PAM config file as parameters:

system_file=/path/to/geoip.conf

The configuration file for pam_geoip. Default is /etc/security/geoip.conf. For the format of this file, see geoip.conf(5).

NOTE: when a file /etc/security/geoip.SERVICE.conf file is present, this switch is ignored (with SERVICE being the name of the PAM service, e.g. sshd).

geoip_db=/path/to/GeoIPCity.dat

The GeoIP database to use. Default: /usr/local/share/GeoIP/GeoIPCity.dat. This must be a GeoIP City Edition or a GeoIP Country Edition file, see http://www.maxmind.com/en/city, http://www.maxmind.com/en/city and http://dev.maxmind.com/geoip/geolite for more information.

geoip6_db=/path/to/GeoIPCityv6.dat

The GeoIP database to use. Default: /usr/local/share/GeoIP/GeoIPCityv6.dat. This must be a GeoIP City Edition IPv6 or a GeoIP Country Edition IPv6 file, see above for more information.

use_v6=1

Use IPv6 DB.

v6_first=1

Try resolving as IPv6 before trying as IPv4 hostname.

charset=CHARSET

The charset of the config file, defaults to UTF-8. Other possible value is iso-8859-1 (case insensitive).

action=ACTION

Sets the default action if no location matches. Default is deny. Other possible values are allow or ignore. For the meanigns of these, see above.

debug

Adds some debugging output to syslog.

FILES

/etc/security/geoip.conf

The default configuration file for this module

/etc/security/geoip.SERVICE.conf

The default configuration file for PAM service SERVICE

/etc/pam.d/*

The PAM(7) configuration files

SEE ALSO

geoip.conf(5), pam_access(8), pam.d(5), pam(7)

AUTHOR

Hanno Hecker <vetinari@ankh-morp.org>

DOWNLOADS

pam_geoip 1.1