account required [system_file=file] [geoip_db=file]
        [charset=name] [action=name] [debug] [geoip6_db=file]
        [use_v6=1] [v6_first=1]


The pam_geoip module provides a check if the remote logged in user is logged in from a given location. This is similar to pam_access\|(8), but uses a GeoIP City or GeoIP Country database instead of host name / \s-1IP\s0 matching.

The matching is done on given country and city names or on distance from a given location. With a country database only matches of the countries are possible.

This \s-1PAM\s0 module provides the account hook only.

If an \s-1IP\s0 is not found in the GeoIP database, the location to match against is set to \*(C`UNKNOWN, *\*(C', no distance matching is possible for these, of course.

\s-1NOTE\s0: pam just receives a hostname. When trying to find an \s-1IP\s0 for this name the modules tries IPv4 first, then IPv6. This can be changed with the \*(C`v6_first=1\*(C' switch.

IPv6 support is only available with geoip v1.4.8 or greater, and is has to be enabled by using the \*(C`use_v6=1\*(C' switch.

If a file named /etc/security/geoip.SERVICE.conf (with \s-1SERVICE\s0 being the name of the \s-1PAM\s0 service) can be opened, this is used instead of the default /etc/security/geoip.conf.

The first matching entry in the geoip.conf\|(5) file wins, i.e. the action given in this line will be returned to \s-1PAM:\s0








These options may be given in the \s-1PAM\s0 config file as parameters:


The configuration file for pam_geoip. Default is /etc/security/geoip.conf. For the format of this file, see geoip.conf\|(5). \s-1NOTE\s0: when a file /etc/security/geoip.SERVICE.conf file is present, this switch is ignored (with \*(C`SERVICE\*(C' being the name of the \s-1PAM\s0 service, e.g. \*(C`sshd\*(C').


The GeoIP database to use. Default: /usr/local/share/GeoIP/GeoIPCity.dat. This must be a \*(C`GeoIP City Edition\*(C' or a \*(C`GeoIP Country Edition\*(C' file, see <>, <> and <> for more information.


The GeoIP database to use. Default: /usr/local/share/GeoIP/GeoIPCityv6.dat. This must be a \*(C`GeoIP City Edition IPv6\*(C' or a \*(C`GeoIP Country Edition IPv6\*(C' file, see above for more information.


Use IPv6 \s-1DB\s0.


Try resolving as IPv6 before trying as IPv4 hostname.


The charset of the config file, defaults to \*(C`UTF-8\*(C'. Other possible value is \*(C`iso-8859-1\*(C' (case insensitive).


Sets the default action if no location matches. Default is \*(C`deny\*(C'. Other possible values are \*(C`allow\*(C' or \*(C`ignore\*(C'. For the meanigns of these, see above.


Adds some debugging output to syslog.



The default configuration file for this module


The default configuration file for \s-1PAM\s0 service \s-1SERVICE\s0


The \s-1PAM\s0\|(7) configuration files

RELATED TO pam_geoip…

geoip.conf\|(5), pam_access\|(8), pam.d\|(5), pam\|(7)


Hanno Hecker \*(C`<[email protected]>\*(C'