Provided by: libpam-geoip_2.1.1-4_amd64 bug


       geoip.conf - config file for the PAM module pam_geoip


       The configuration file (by default /etc/security/geoip.conf) contains lines of four items:
       domain, service, action and location. For a description of these, see below.

       When the service specific configuration file (/etc/security/geoip.SERVICE.conf) is used,
       the service column must not be present. If this file is present, the default file is not
       used, even if present on the command line as "system_file=/file/name".

       If you need to match on city names containing non ascii(7) characters (like "DE, Köln" or
       "SE, Växjö"), you can set the character set to use in the module's arguments: "iso-8859-1"
       or "UTF-8" (the default).

       Any (sub-)item except for action or the distance matching can use a single asterisk ("*")
       to match any value.

           A user name, group name (prefixed by "@") or "*" for any user / group

           A list of services (or "*") separated by "," (NO spaces allowed)

           "allow", "deny" or "ignore". This is what will be returned to PAM if the location




           GeoIP location, separated by ";". This can be:

           • a country code (uppercased, two characters), "*" or "UNKNOWN"

           • a country code like above and "," and a city name (or "*"). When using a GeoIP
             country database, this part must be "*", i.e. the full entry looks like "DE, *".

           • a distance from a given point, e.g.

              50.0 { 51.513888, 7.465277 }

             This is not available when using a GeoIP country database.

       The location part can use spaces, but note: city names must be given as in the GeoIP
       database, i.e. "Mountain View", NOT "Moutain  View" or "MountainView".

       The distance is measured in kilometers. In the above example we match a circle of 100 km
       diameter around Dortmund, Germany (51° 30′ 50″ north, 7° 27′ 50″ east (51.513888888889,
       7.465277777777876)). Coordinates west and south are given as negative values. Values must
       be given in decimal.


        # /etc/security/geoip.conf - config for

        #<domain>   <service>  <action>  <location>
        @wheel      sshd       allow     DE,* ; SE , Nybro
        @wheel      sshd       allow     SE, Emmaboda; SE,Växjö
        someuser    sshd       allow     50.0 { 51.513888, 7.465277 }
        someuser    sshd       allow     DE,Köln
        otheruser   sshd       allow     SE,Umeå; DK, København
        *           *          ignore    UNKNOWN
        *           *          deny      *
        ## END

       or the same as /etc/security/geoip.sshd.conf:

        #<domain>     <action>  <location>
        @wheel        allow     DE,* ; SE , Nybro
        @wheel        allow     SE, Emmaboda; SE,Växjö
        someuser      allow     50.0 { 51.513888, 7.465277 }
        someuser      allow     DE,Köln
        otheruser     allow     SE,Umeå; DK, København
        *             ignore    UNKNOWN
        *             deny      *


       pam_geoip(8), pam_access(8), pam.d(5), pam(7)


       Amish - GeoIP2 Hanno Hecker - Legacy GeoIP "<>"

                                            2021-10-19                              geoip.conf(5)