DOKK / manpages / debian 12 / libpam-geoip / pam_geoip.8.en

NAME

pam_geoip - GeoIP account management module for (Linux-)PAM

SYNOPSIS

 account required pam_geoip.so [system_file=file] [geoip_db=file]
        [action=name] [language=name] [debug]

DESCRIPTION

The pam_geoip module provides a check if the remote logged in user is logged in from a given location. This is similar to pam_access(8), but uses a GeoIP2 City or GeoIP2 Country database instead of host name / IP matching.

The matching is done on given country and city names or on distance from a given location. With a country database only matches of the countries are possible.

This PAM module provides the account hook only.

If an IP is not found in the GeoIP2 database, the location to match against is set to "UNKNOWN, *", no distance matching is possible for these, of course.

If a file named /etc/security/geoip.SERVICE.conf (with SERVICE being the name of the PAM service) can be opened, this is used instead of the default /etc/security/geoip.conf.

The first matching entry in the geoip.conf(5) file wins, i.e. the action given in this line will be returned to PAM:

allow: PAM_SUCCESS
deny: PAM_PERM_DENIED
ignore: PAM_IGNORE

OPTIONS

These options may be given in the PAM config file as parameters:

system_file=/path/to/geoip.conf: The configuration file for pam_geoip. Default is /etc/security/geoip.conf. For the format of this file, see geoip.conf(5).
NOTE: when a file /etc/security/geoip.SERVICE.conf file is present, this switch is ignored (with "SERVICE" being the name of the PAM service, e.g. "sshd").
geoip_db=/path/to/GeoLite2-City.mmdb: The GeoIP2 database to use. Default: /usr/share/GeoIP/GeoLite2-City.mmdb. This must be a "GeoIP2 City Edition" or a "GeoIP2 Country Edition" file, see <https://www.maxmind.com/en/geoip2-databases> and <https://dev.maxmind.com/geoip/geoip2/geolite2/> for more information.
The database can contain IPv4 or IPv6 addresses or both.
action=ACTION: Sets the default action if no location matches. Default is "deny". Other possible values are "allow" or "ignore". For the meanigns of these, see above.
language=NAME: Sets the language to be used to find names (city etc.). Default is "en".
debug: Adds some debugging output to syslog.

FILES

/etc/security/geoip.conf: The default configuration file for this module
/etc/security/geoip.SERVICE.conf: The default configuration file for PAM service SERVICE
/etc/pam.d/*: The PAM(7) configuration files

AUTHOR

Amish - GeoIP2 Hanno Hecker - Legacy GeoIP "<vetinari@ankh-morp.org>"

2023-01-12