Vetinari's $HOME


geoip.conf - config file for the PAM module pam_geoip


The configuration file (by default /etc/security/geoip.conf) contains lines of four items: domain, service, action and location. For a description of these, see below.

When the service specific configuration file (/etc/security/geoip.SERVICE.conf) is used, the service column must not be present. If this file is present, the default file is not used, even if present on the command line as system_file=/file/name.

If you need to match on city names containing non ascii(7) characters (like DE, Köln or SE, Växjö), you can set the character set to use in the module's arguments: iso-8859-1 or UTF-8 (the default).

Any (sub-)item except for action or the distance matching can use a single asterisk (*) to match any value.


A user name, group name (prefixed by @) or * for any user / group


A list of services (or *) separated by , (NO spaces allowed)


allow, deny or ignore. This is what will be returned to PAM if the location matches:








GeoIP location, separated by ;. This can be:

  • a country code (uppercased, two characters), * or UNKNOWN
  • a country code like above and , and a city name (or *). When using a GeoIP country database, this part must be *, i.e. the full entry looks like DE, *.
  • a distance from a given point, e.g.
     50.0 { 51.513888, 7.465277 }

    This is not available when using a GeoIP country database.

The location part can use spaces, but note: city names must be given as in the GeoIP database, i.e. Mountain View, NOT Moutain View or MountainView.

The distance is measured in kilometers. In the above example we match a circle of 100 km diameter around Dortmund, Germany (51° 30′ 50″ north, 7° 27′ 50″ east (51.513888888889, 7.465277777777876)). Coordinates west and south are given as negative values. Values must be given in decimal.


 # /etc/security/geoip.conf - config for
 #<domain>   <service>  <action>  <location>
 @wheel      sshd       allow     DE,* ; SE , Nybro 
 @wheel      sshd       allow     SE, Emmaboda; SE,Växjö
 someuser    sshd       allow     50.0 { 51.513888, 7.465277 }
 someuser    sshd       allow     DE,Köln
 otheruser   sshd       allow     SE,Umeå; DK, København
 *           *          ignore    UNKNOWN
 *           *          deny      *
 ## END

or the same as /etc/security/geoip.sshd.conf:

 #<domain>     <action>  <location>
 @wheel        allow     DE,* ; SE , Nybro 
 @wheel        allow     SE, Emmaboda; SE,Växjö
 someuser      allow     50.0 { 51.513888, 7.465277 }
 someuser      allow     DE,Köln
 otheruser     allow     SE,Umeå; DK, København
 *             ignore    UNKNOWN
 *             deny      *


pam_geoip(8), pam_access(8), pam.d(5), pam(7)


Hanno Hecker <>