DESCRIPTION

The configuration file (by default /etc/security/geoip.conf) contains lines of four items: domain, service, action and location. For a description of these, see below.

When the service specific configuration file (/etc/security/geoip.SERVICE.conf) is used, the service column must not be present. If this file is present, the default file is not used, even if present on the command line as \*(C`system_file=/file/name\*(C'.

If you need to match on city names containing non ascii\|(7) characters (like \*(C`DE, Köln\*(C' or \*(C`SE, Växjö\*(C'), you can set the character set to use in the module's arguments: \*(C`iso-8859-1\*(C' or \*(C`UTF-8\*(C' (the default).

Any (sub-)item except for action or the distance matching can use a single asterisk (\*(C`*\*(C') to match any value.

domain

A user name, group name (prefixed by \*(C`@\*(C') or \*(C`*\*(C' for any user / group

service

A list of services (or \*(C`*\*(C') separated by \*(C`,\*(C' (\s-1NO\s0 spaces allowed)

action

\*(C`allow\*(C', \*(C`deny\*(C' or \*(C`ignore\*(C'. This is what will be returned to \s-1PAM\s0 if the location matches:

allow

\s-1PAM_ALLOW\s0

deny

\s-1PAM_PERM_DENIED\s0

ignore

\s-1PAM_IGNORE\s0

location

GeoIP location, separated by \*(C`;\*(C'. This can be:

  • a country code (uppercased, two characters), \*(C`*\*(C' or \*(C`UNKNOWN\*(C'

  • a country code like above and \*(C`,\*(C' and a city name (or \*(C`*\*(C'). When using a GeoIP country database, this part must be \*(C`*\*(C', i.e. the full entry looks like \*(C`DE, *\*(C'.

  • a distance from a given point, e.g.

     50.0 { 51.513888, 7.465277 }
    

    This is not available when using a GeoIP country database.

The location part can use spaces, but note: city names must be given as in the GeoIP database, i.e. \*(C`Mountain View\*(C', \s-1NOT\s0 \*(C`Moutain  View\*(C' or \*(C`MountainView\*(C'.

The distance is measured in kilometers. In the above example we match a circle of 100 km diameter around Dortmund, Germany (51° 30′ 50″ north, 7° 27′ 50″ east (51.513888888889, 7.465277777777876)). Coordinates west and south are given as negative values. Values must be given in decimal.

EXAMPLE

# # /etc/security/geoip.conf - config for pam_geoip.so #

#<domain> <service> <action> <location> @wheel sshd allow DE,* ; SE , Nybro @wheel sshd allow SE, Emmaboda; SE,Växjö someuser sshd allow 50.0 { 51.513888, 7.465277 } someuser sshd allow DE,Köln otheruser sshd allow SE,Umeå; DK, København * * ignore UNKNOWN * * deny * ## END

or the same as /etc/security/geoip.sshd.conf:

#<domain> <action> <location> @wheel allow DE,* ; SE , Nybro @wheel allow SE, Emmaboda; SE,Växjö someuser allow 50.0 { 51.513888, 7.465277 } someuser allow DE,Köln otheruser allow SE,Umeå; DK, København * ignore UNKNOWN * deny *

RELATED TO geoip.conf…

pam_geoip\|(8), pam_access\|(8), pam.d\|(5), pam\|(7)

AUTHOR

Hanno Hecker \*(C`<[email protected]>\*(C'