Geoip account management module for (linux-)pam
account required pam_geoip.so [system_file=file] [geoip_db=file]
[charset=name] [action=name] [debug] [geoip6_db=file]
[use_v6=1] [v6_first=1]
The pam_geoip module provides a check if the remote logged in user is logged in from a given location. This is similar to pam_access\|(8), but uses a GeoIP City or GeoIP Country database instead of host name / \s-1IP\s0 matching.
The matching is done on given country and city names or on distance from a given location. With a country database only matches of the countries are possible.
This \s-1PAM\s0 module provides the account hook only.
If an \s-1IP\s0 is not found in the GeoIP database, the location to match against is set to \*(C`UNKNOWN, *\*(C', no distance matching is possible for these, of course.
\s-1NOTE\s0: pam just receives a hostname. When trying to find an \s-1IP\s0 for this name the modules tries IPv4 first, then IPv6. This can be changed with the \*(C`v6_first=1\*(C' switch.
IPv6 support is only available with geoip v1.4.8 or greater, and is has to be enabled by using the \*(C`use_v6=1\*(C' switch.
If a file named /etc/security/geoip.SERVICE.conf (with \s-1SERVICE\s0 being the name of the \s-1PAM\s0 service) can be opened, this is used instead of the default /etc/security/geoip.conf.
The first matching entry in the geoip.conf\|(5) file wins, i.e. the action given in this line will be returned to \s-1PAM:\s0
\s-1PAM_SUCCESS\s0
\s-1PAM_PERM_DENIED\s0
\s-1PAM_IGNORE\s0
These options may be given in the \s-1PAM\s0 config file as parameters:
The configuration file for pam_geoip. Default is /etc/security/geoip.conf. For the format of this file, see geoip.conf\|(5). \s-1NOTE\s0: when a file /etc/security/geoip.SERVICE.conf file is present, this switch is ignored (with \*(C`SERVICE\*(C' being the name of the \s-1PAM\s0 service, e.g. \*(C`sshd\*(C').
The GeoIP database to use. Default: /usr/local/share/GeoIP/GeoIPCity.dat. This must be a \*(C`GeoIP City Edition\*(C' or a \*(C`GeoIP Country Edition\*(C' file, see <http://www.maxmind.com/en/city>, <http://www.maxmind.com/en/city> and <http://dev.maxmind.com/geoip/geolite> for more information.
The GeoIP database to use. Default: /usr/local/share/GeoIP/GeoIPCityv6.dat. This must be a \*(C`GeoIP City Edition IPv6\*(C' or a \*(C`GeoIP Country Edition IPv6\*(C' file, see above for more information.
Use IPv6 \s-1DB\s0.
Try resolving as IPv6 before trying as IPv4 hostname.
The charset of the config file, defaults to \*(C`UTF-8\*(C'. Other possible value is \*(C`iso-8859-1\*(C' (case insensitive).
Sets the default action if no location matches. Default is \*(C`deny\*(C'. Other possible values are \*(C`allow\*(C' or \*(C`ignore\*(C'. For the meanigns of these, see above.
Adds some debugging output to syslog.
The default configuration file for this module
The default configuration file for \s-1PAM\s0 service \s-1SERVICE\s0
The \s-1PAM\s0\|(7) configuration files
geoip.conf\|(5), pam_access\|(8), pam.d\|(5), pam\|(7)
Hanno Hecker \*(C`<[email protected]>\*(C'