Provided by: libpam-geoip_1.1-2_amd64 bug

NAME
       pam_geoip - GeoIP account management module for (Linux-)PAM


SYNOPSIS
        account required pam_geoip.so [system_file=file] [geoip_db=file]
               [charset=name] [action=name] [debug] [geoip6_db=file]
               [use_v6=1] [v6_first=1]


DESCRIPTION
       The pam_geoip module provides a check if the remote logged in user is logged in from a
       given location. This is similar to pam_access(8), but uses a GeoIP City or GeoIP Country
       database instead of host name / IP matching.

       The matching is done on given country and city names or on distance from a given location.
       With a country database only matches of the countries are possible.

       This PAM module provides the account hook only.

       If an IP is not found in the GeoIP database, the location to match against is set to
       "UNKNOWN, *", no distance matching is possible for these, of course.

       NOTE: pam just receives a hostname. When trying to find an IP for this name the modules
       tries IPv4 first, then IPv6. This can be changed with the "v6_first=1" switch.

       IPv6 support is only available with geoip v1.4.8 or greater, and is has to be enabled by
       using the "use_v6=1" switch.

       If a file named /etc/security/geoip.SERVICE.conf (with SERVICE being the name of the PAM
       service) can be opened, this is used instead of the default /etc/security/geoip.conf.

       The first matching entry in the geoip.conf(5) file wins, i.e. the action given in this
       line will be returned to PAM:

       allow
           PAM_SUCCESS

       deny
           PAM_PERM_DENIED

       ignore
           PAM_IGNORE


OPTIONS
       These options may be given in the PAM config file as parameters:

       system_file=/path/to/geoip.conf
           The configuration file for pam_geoip. Default is /etc/security/geoip.conf. For the
           format of this file, see geoip.conf(5).

           NOTE: when a file /etc/security/geoip.SERVICE.conf file is present, this switch is
           ignored (with "SERVICE" being the name of the PAM service, e.g.  "sshd").

       geoip_db=/path/to/GeoIPCity.dat
           The GeoIP database to use. Default: /usr/local/share/GeoIP/GeoIPCity.dat.  This must
           be a "GeoIP City Edition" or a "GeoIP Country Edition" file, see
           <http://www.maxmind.com/en/city>, <http://www.maxmind.com/en/city> and
           <http://dev.maxmind.com/geoip/geolite> for more information.

       geoip6_db=/path/to/GeoIPCityv6.dat
           The GeoIP database to use. Default: /usr/local/share/GeoIP/GeoIPCityv6.dat.  This must
           be a "GeoIP City Edition IPv6" or a "GeoIP Country Edition IPv6" file, see above for
           more information.

       use_v6=1
           Use IPv6 DB.

       v6_first=1
           Try resolving as IPv6 before trying as IPv4 hostname.

       charset=CHARSET
           The charset of the config file, defaults to "UTF-8". Other possible value is
           "iso-8859-1" (case insensitive).

       action=ACTION
           Sets the default action if no location matches. Default is "deny". Other possible
           values are "allow" or "ignore". For the meanigns of these, see above.

       debug
           Adds some debugging output to syslog.


FILES
       /etc/security/geoip.conf
           The default configuration file for this module

       /etc/security/geoip.SERVICE.conf
           The default configuration file for PAM service SERVICE

       /etc/pam.d/*
           The PAM(7) configuration files


SEE ALSO
       geoip.conf(5), pam_access(8), pam.d(5), pam(7)


AUTHOR
       Hanno Hecker "<vetinari@ankh-morp.org>"

                                            2012-12-28                               pam_geoip(8)