NAME
geoip.conf - config file for the PAM module pam_geoip
DESCRIPTION
The configuration file (by default /etc/security/geoip.conf) contains lines of four items: domain, service, action and location. For a description of these, see below.
If you need to match on city names containing non ascii(7) charachters (like DE,
Köln or SE,
Växjö),
you can set the character set to use in the module's arguments: iso-8859-1 or UTF-8 (the default).
Any (sub-)item except for action or the distance matching can use a single asterisk (*) to match any value.
- domain
-
A user name, group name (prefixed by
@) or*for any user / group - service
-
A list of services (or
*) separated by,(NO spaces allowed) - action
-
allow,denyorignore. This is what will be returned to PAM if the location matches: - location
-
GeoIP location, separated by
;. This can be:- a country code (uppercased,
two charachers),
*orUNKNOWN - a country code like above and
,and a city name (or*) - a distance from a given point,
e.g.
50.0 { 51.513888, 7.465277 }
- a country code (uppercased,
two charachers),
The location part can use spaces, but note: city names must be given as in the GeoIP database, i.e. Mountain View, NOT Moutain View or MountainView.
The distance is measured in kilometers. In the above example we match a circle of 100 km diameter around Dortmund, Germany (51° 30′ 50″ north, 7° 27′ 50″ east (51.513888888889, 7.465277777777876)). Coordinates west and south are given as negative values. Values must be given in decimal.
EXAMPLE
#
# /etc/security/geoip.conf - config for pam_geoip.so
#
#<domain> <service> <action> <location>
@wheel sshd allow DE,* ; SE , Nybro
@wheel sshd allow SE, Emmaboda; SE,Växjö
someuser sshd allow 50.0 { 51.513888, 7.465277 }
someuser sshd allow DE,Köln
otheruser sshd allow SE,Umeå; DK, København
* * ignore UNKNOWN
* * deny *
## END
SEE ALSO
pam_geoip(8), pam_access(8), pam.d(5), pam(7)
AUTHOR
Hanno Hecker <vetinari@ankh-morp.org>
