NAME

pam_geoip - GeoIP account management module for (Linux-)PAM

SYNOPSIS

 account required pam_geoip.so [system_file=file] [geoip_db=file]
        [charset=name] [action=name] [debug]

DESCRIPTION

The pam_geoip module provides a check if the remote logged in user is logged in from a given location. This is similar to pam_access(8), but uses a GeoIP City database instead of host name / IP matching.

The matching is done on given country and city names or on distance from a given location.

Ths PAM module provides the account hook only.

If an IP is not found in the GeoIP database, the location to match against is set to UNKNOWN, *, no distance matching is possible for these, of course.

The first matching entry in the geoip.conf file wins, i.e. the action given in this line will be returned to PAM:

allow: PAM_SUCCESS
deny: PAM_PERM_DENIED
ignore: PAM_IGNORE

OPTIONS

These options may be given in the PAM config file as parameters:

system_file=/path/to/geoip.conf: The configuration file for pam_geoip. Default is /etc/security/geoip.conf. For the format of this file, see geoip.conf.
geoip_db=/path/to/GeoIPCity.dat: The GeoIP database to use. Default: /usr/local/share/GeoIP/GeoIPCity.dat. This must be a "GeoIP City Edition" file, see http://www.maxmind.com/app/city and / or http://www.maxmind.com/app/geolitecity for more information.
charset=CHARSET: The charset of the config file, defaults to UTF-8. Other possible value is iso-8859-1 (case insensitive).
action=ACTION: Sets the default action if no location matches. Default is deny. Other possible values are allow or ignore. For the meanigns of these, see above.
debug: Adds some debugging output to syslog.

FILES

/etc/security/geoip.conf: The default configuration file for this module
/etc/pam.d/*: The PAM(7) configuration files

AUTHOR

Hanno Hecker <vetinari@ankh-morp.org>

DOWNLOADS

pam_geoip 0.9