pax_global_header00006660000000000000000000000064134322452660014521gustar00rootroot0000000000000052 comment=d9ce0e73eecc957d5d44a897b624a3e9f20526d5 pam_geoip-2.1.1/000077500000000000000000000000001343224526600134625ustar00rootroot00000000000000pam_geoip-2.1.1/.gitignore000066400000000000000000000005511343224526600154530ustar00rootroot00000000000000# Prerequisites *.d # Object files *.o *.ko *.obj *.elf # Linker output *.ilk *.map *.exp # Precompiled Headers *.gch *.pch # Libraries *.lib *.a *.la *.lo # Shared objects (inc. Windows DLLs) *.dll *.so *.so.* *.dylib # Executables *.exe *.out *.app *.i*86 *.x86_64 *.hex # Debug files *.dSYM/ *.su *.idb *.pdb # Miscellaneous geoip.conf.5 pam_geoip.8 pam_geoip-2.1.1/LICENSE000066400000000000000000000167441343224526600145030ustar00rootroot00000000000000 GNU LESSER GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. This version of the GNU Lesser General Public License incorporates the terms and conditions of version 3 of the GNU General Public License, supplemented by the additional permissions listed below. 0. Additional Definitions. As used herein, "this License" refers to version 3 of the GNU Lesser General Public License, and the "GNU GPL" refers to version 3 of the GNU General Public License. "The Library" refers to a covered work governed by this License, other than an Application or a Combined Work as defined below. An "Application" is any work that makes use of an interface provided by the Library, but which is not otherwise based on the Library. Defining a subclass of a class defined by the Library is deemed a mode of using an interface provided by the Library. A "Combined Work" is a work produced by combining or linking an Application with the Library. The particular version of the Library with which the Combined Work was made is also called the "Linked Version". The "Minimal Corresponding Source" for a Combined Work means the Corresponding Source for the Combined Work, excluding any source code for portions of the Combined Work that, considered in isolation, are based on the Application, and not on the Linked Version. The "Corresponding Application Code" for a Combined Work means the object code and/or source code for the Application, including any data and utility programs needed for reproducing the Combined Work from the Application, but excluding the System Libraries of the Combined Work. 1. Exception to Section 3 of the GNU GPL. You may convey a covered work under sections 3 and 4 of this License without being bound by section 3 of the GNU GPL. 2. Conveying Modified Versions. If you modify a copy of the Library, and, in your modifications, a facility refers to a function or data to be supplied by an Application that uses the facility (other than as an argument passed when the facility is invoked), then you may convey a copy of the modified version: a) under this License, provided that you make a good faith effort to ensure that, in the event an Application does not supply the function or data, the facility still operates, and performs whatever part of its purpose remains meaningful, or b) under the GNU GPL, with none of the additional permissions of this License applicable to that copy. 3. Object Code Incorporating Material from Library Header Files. The object code form of an Application may incorporate material from a header file that is part of the Library. You may convey such object code under terms of your choice, provided that, if the incorporated material is not limited to numerical parameters, data structure layouts and accessors, or small macros, inline functions and templates (ten or fewer lines in length), you do both of the following: a) Give prominent notice with each copy of the object code that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the object code with a copy of the GNU GPL and this license document. 4. Combined Works. You may convey a Combined Work under terms of your choice that, taken together, effectively do not restrict modification of the portions of the Library contained in the Combined Work and reverse engineering for debugging such modifications, if you also do each of the following: a) Give prominent notice with each copy of the Combined Work that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the Combined Work with a copy of the GNU GPL and this license document. c) For a Combined Work that displays copyright notices during execution, include the copyright notice for the Library among these notices, as well as a reference directing the user to the copies of the GNU GPL and this license document. d) Do one of the following: 0) Convey the Minimal Corresponding Source under the terms of this License, and the Corresponding Application Code in a form suitable for, and under terms that permit, the user to recombine or relink the Application with a modified version of the Linked Version to produce a modified Combined Work, in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source. 1) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (a) uses at run time a copy of the Library already present on the user's computer system, and (b) will operate properly with a modified version of the Library that is interface-compatible with the Linked Version. e) Provide Installation Information, but only if you would otherwise be required to provide such information under section 6 of the GNU GPL, and only to the extent that such information is necessary to install and execute a modified version of the Combined Work produced by recombining or relinking the Application with a modified version of the Linked Version. (If you use option 4d0, the Installation Information must accompany the Minimal Corresponding Source and Corresponding Application Code. If you use option 4d1, you must provide the Installation Information in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source.) 5. Combined Libraries. You may place library facilities that are a work based on the Library side by side in a single library together with other library facilities that are not Applications and are not covered by this License, and convey such a combined library under terms of your choice, if you do both of the following: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities, conveyed under the terms of this License. b) Give prominent notice with the combined library that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 6. Revised Versions of the GNU Lesser General Public License. The Free Software Foundation may publish revised and/or new versions of the GNU Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library as you received it specifies that a certain numbered version of the GNU Lesser General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that published version or of any later version published by the Free Software Foundation. If the Library as you received it does not specify a version number of the GNU Lesser General Public License, you may choose any version of the GNU Lesser General Public License ever published by the Free Software Foundation. If the Library as you received it specifies that a proxy can decide whether future versions of the GNU Lesser General Public License shall apply, that proxy's public statement of acceptance of any version is permanent authorization for you to choose that version for the Library. pam_geoip-2.1.1/Makefile000066400000000000000000000016331343224526600151250ustar00rootroot00000000000000POD2MAN=pod2man -u -c ' ' -r ' ' MANPAGES=geoip.conf.5 pam_geoip.8 MAN_5_POD=geoip.conf.5.pod MAN_8_POD=pam_geoip.8.pod C_FILES=pam_geoip.c parse.c args.c check.c HEADER=pam_geoip.h OBJECTS=pam_geoip.o parse.o args.o check.o MODULE=pam_geoip.so LDFLAGS=-lpam -lmaxminddb -lm -shared CCFLAGS=-Wall PAM_LIB_DIR=$(DESTDIR)/lib/$(MULTIARCH)/security INSTALL=/usr/bin/install all: pam_geoip.so doc doc: $(MANPAGES_POD) $(MANPAGES) %.5: $(MAN_5_POD) $(POD2MAN) -u -s 5 -n $(shell basename $@ .5) $@.pod > $@ %.8: $(MAN_8_POD) $(POD2MAN) -u -s 8 -n $(shell basename $@ .8) $@.pod > $@ $(OBJECTS): $(C_FILES) $(CC) $(CCFLAGS) -fPIC -c $*.c pam_geoip.so: $(OBJECTS) $(CC) $(CCFLAGS) $(LDFLAGS) -o $@ $(OBJECTS) clean: rm -f $(MANPAGES) rm -f $(OBJECTS) $(MODULE) core *~ install: $(MODULE) $(INSTALL) -m 0755 -d $(PAM_LIB_DIR) $(INSTALL) -m 0644 $(MODULE) $(PAM_LIB_DIR) ### dev targets: update: svn update # END pam_geoip-2.1.1/README000066400000000000000000000023241343224526600143430ustar00rootroot00000000000000$Id$ pam_geoip - GeoIP account management module for (Linux-)PAM This PAM module provides GeoIP checking for logins. The user can be allowed or denied based on the location of the originating IP address. This is similar to pam_access(8), but uses a GeoIP2 City or GeoIP2 Country database instead of host name / IP matching. The matching in pam_geoip is done on given country and city names or on distance from a given location. With a Country database only matches of the originating country are possible. This PAM module provides the "account" hook only. To use this module, add a line like (optional parts in square brackets) account required pam_geoip.so [system_file=file] [geoip_db=file] \ [action=name] [language=name] [debug] to the relevant files in /etc/pam.d/ and configure your /etc/security/geoip.conf and/or /etc/security/geoip.SERVICE.conf. Requirements: Debian (lenny, squeeze, sid [Linux, kFreeBSD]): building: libmaxminddb-dev, libpam0g-dev, perl (pod2man) running: libmaxminddb, libpam0g, libpam-{modules,runtime}, a GeoIP2 City database or a GeoIP Country database, see https://www.maxmind.com/en/geoip2-databases and https://dev.maxmind.com/geoip/geoip2/geolite2/ for more information. pam_geoip-2.1.1/args.c000066400000000000000000000033301343224526600145610ustar00rootroot00000000000000/* * args.c - account module to check GeoIP information * * $Id$ * */ #include "pam_geoip.h" void _parse_args(pam_handle_t *pamh, int argc, const char **argv, struct options *opts) { int i; for (i=0; idebug = 1; else if (!strncmp(argv[i], "action=", 7)) { if (argv[i][7]) { if (!strncmp(argv[i]+7, "allow", 5)) opts->action = PAM_SUCCESS; else if (!strncmp(argv[i]+7, "deny", 4)) opts->action = PAM_PERM_DENIED; else if (!strncmp(argv[i]+7, "ignore", 6)) opts->action = PAM_IGNORE; } } else pam_syslog(pamh, LOG_WARNING, "unknown parameter %s", argv[i]); } } /* * vim: ts=4 sw=4 expandtab */ pam_geoip-2.1.1/check.c000066400000000000000000000061071343224526600147070ustar00rootroot00000000000000/* * check.c - account module to check GeoIP information * * $Id$ * */ #include "pam_geoip.h" int check_service(pam_handle_t *pamh, char *services, char *srv) { char *str, *next; if (!strcmp(services, "*")) return 1; str = services; while (*services) { while (*str && *str != ',') ++str; if (*str) next = str + 1; else next = ""; *str = 0; if (!strncmp(services, srv, strlen(services)) || !strcmp(services, "*")) return 1; services = next; } return 0; } /* see also: http://en.wikipedia.org/wiki/Great-circle_distance */ double calc_distance(double latitude, double longitude, double geo_lat, double geo_long) { double distance; float earth = 6367.46; /* km avg radius */ /* convert grad to rad: */ double la1 = latitude * M_PI / 180.0, la2 = geo_lat * M_PI / 180.0, lo1 = longitude * M_PI / 180.0, lo2 = geo_long * M_PI / 180.0; distance = atan2(sqrt( pow(cos(la2) * sin(lo1-lo2), 2.0) + pow(cos(la1) * sin(la2) - sin(la1) * cos(la2) * cos(lo1-lo2), 2.0) ), sin(la1) * sin(la2) + cos(la1) * cos(la2) * cos(lo1-lo2) ); if (distance < 0.0) distance += 2 * M_PI; distance *= earth; return distance; } int check_location(pam_handle_t *pamh, struct options *opts, char *location_string, struct locations *geo) { int retval = 0; double distance; struct locations *list, *loc; list = loc = parse_locations(pamh, opts, location_string); while (list) { if (!list->country) { if (!strcmp(geo->country, "UNKNOWN")) { list = list->next; continue; } if (opts->is_city_db) { distance = calc_distance(list->latitude, list->longitude, geo->latitude, geo->longitude); if (distance <= list->radius) { pam_syslog(pamh, LOG_INFO, "distance(%.3f) < radius(%3.f)", distance, list->radius); sprintf(location_string, "%.3f {%f,%f}", distance, geo->latitude, geo->longitude); retval = 1; break; } } else pam_syslog(pamh, LOG_INFO, "not a city db edition, ignoring distance entry"); } else { if (opts->debug) pam_syslog(pamh, LOG_INFO, "location: (%s,%s) geoip: (%s,%s)", list->country, list->city, geo->country, geo->city); if ((list->country[0] == '*' || !strcmp(list->country, geo->country)) && (list->city[0] == '*' || !strcmp(list->city, geo->city)) ) { if (opts->debug) pam_syslog(pamh, LOG_INFO, "location [%s,%s] matched: %s,%s", geo->country, geo->city, list->country, list->city); sprintf(location_string, "%s,%s", geo->country, geo->city); retval = 1; break; } } list = list->next; } if (loc) free_locations(loc); return retval; } /* * vim: ts=4 sw=4 expandtab */ pam_geoip-2.1.1/geoip.conf000066400000000000000000000004141343224526600154330ustar00rootroot00000000000000# # /etc/security/geoip.conf - config for pam_geoip.so # # * * ignore UNKNOWN * * allow * ##example config # #@wheel sshd allow DE,* ; SE,* #meike sshd allow DE,* #* * deny * pam_geoip-2.1.1/geoip.conf.5.pod000066400000000000000000000062601343224526600163640ustar00rootroot00000000000000 =encoding utf8 =cut $Id$ =head1 NAME geoip.conf - config file for the PAM module pam_geoip =head1 DESCRIPTION The configuration file (by default F) contains lines of four items: domain, service, action and location. For a description of these, see below. When the service specific configuration file (F) is used, the I column must not be present. If this file is present, the default file is not used, even if present on the command line as C. If you need to match on city names containing non L characters (like C or C), you can set the character set to use in the module's arguments: C or C (the default). Any (sub-)item except for I or the distance matching can use a single asterisk (C<*>) to match any value. =over 4 =item domain A user name, group name (prefixed by C<@>) or C<*> for any user / group =item service A list of services (or C<*>) separated by C<,> (NO spaces allowed) =item action C, C or C. This is what will be returned to PAM if the location matches: =over 2 =item allow I =item deny I =item ignore I =back =item location GeoIP location, separated by C<;>. This can be: =over 2 =item * a country code (uppercased, two characters), C<*> or C =item * a country code like above and C<,> and a city name (or C<*>). When using a GeoIP country database, this part must be C<*>, i.e. the full entry looks like C. =item * a distance from a given point, e.g. 50.0 { 51.513888, 7.465277 } This is not available when using a GeoIP country database. =back =back The location part can use spaces, but note: city names must be given as in the GeoIP database, i.e. S>, NOT S> or C. The distance is measured in kilometers. In the above example we match a circle of 100 km diameter around Dortmund, Germany (51° 30′ 50″ north, 7° 27′ 50″ east (51.513888888889, 7.465277777777876)). Coordinates west and south are given as negative values. Values must be given in decimal. =head1 EXAMPLE # # /etc/security/geoip.conf - config for pam_geoip.so # # @wheel sshd allow DE,* ; SE , Nybro @wheel sshd allow SE, Emmaboda; SE,Växjö someuser sshd allow 50.0 { 51.513888, 7.465277 } someuser sshd allow DE,Köln otheruser sshd allow SE,Umeå; DK, København * * ignore UNKNOWN * * deny * ## END or the same as F: # @wheel allow DE,* ; SE , Nybro @wheel allow SE, Emmaboda; SE,Växjö someuser allow 50.0 { 51.513888, 7.465277 } someuser allow DE,Köln otheruser allow SE,Umeå; DK, København * ignore UNKNOWN * deny * =head1 SEE ALSO L, L, L, L =head1 AUTHOR Amish - GeoIP2 Hanno Hecker - Legacy GeoIP Cvetinari@ankh-morp.orgE> =cut pam_geoip-2.1.1/pam_geoip.8.pod000066400000000000000000000054201343224526600162750ustar00rootroot00000000000000 =encoding utf8 =cut $Id$ =head1 NAME pam_geoip - GeoIP account management module for (Linux-)PAM =head1 SYNOPSIS account required pam_geoip.so [system_file=file] [geoip_db=file] [action=name] [language=name] [debug] =head1 DESCRIPTION The B module provides a check if the remote logged in user is logged in from a given location. This is similar to L, but uses a GeoIP2 City or GeoIP2 Country database instead of host name / IP matching. The matching is done on given country and city names or on distance from a given location. With a country database only matches of the countries are possible. This PAM module provides the I hook only. If an IP is not found in the GeoIP2 database, the location to match against is set to C, no distance matching is possible for these, of course. If a file named F (with SERVICE being the name of the PAM service) can be opened, this is used instead of the default F. The first matching entry in the L file wins, i.e. the action given in this line will be returned to PAM: =over 4 =item allow PAM_SUCCESS =item deny PAM_PERM_DENIED =item ignore PAM_IGNORE =back =head1 OPTIONS These options may be given in the PAM config file as parameters: =over 4 =item system_file=/path/to/geoip.conf The configuration file for B. Default is F. For the format of this file, see L. B: when a file F file is present, this switch is ignored (with C being the name of the PAM service, e.g. C). =item geoip_db=/path/to/GeoLite2-City.mmdb The GeoIP2 database to use. Default: F. This must be a C or a C file, see L and L for more information. The database can contain IPv4 or IPv6 addresses or both. =item action=ACTION Sets the default action if no location matches. Default is C. Other possible values are C or C. For the meanigns of these, see above. =item language=NAME Sets the language to be used to find names (city etc.). Default is C. =item debug Adds some debugging output to syslog. =back =head1 FILES =over 4 =item /etc/security/geoip.conf The default configuration file for this module =item /etc/security/geoip.SERVICE.conf The default configuration file for PAM service SERVICE =item /etc/pam.d/* The L configuration files =back =head1 SEE ALSO L, L, L, L =head1 AUTHOR Amish - GeoIP2 Hanno Hecker - Legacy GeoIP Cvetinari@ankh-morp.orgE> =cut pam_geoip-2.1.1/pam_geoip.c000066400000000000000000000264021343224526600155720ustar00rootroot00000000000000/* * pam_geoip.c - account module to check GeoIP information * * $Id$ * */ /* * Copyright (c) 2019 Amish - GeoIP2 support * Copyright (c) 2010-2012 Hanno Hecker - Legacy GeoIP * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, and the entire permission notice in its entirety, * including the disclaimer of warranties. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU General Public License, in which case the provisions of the * GPL are required INSTEAD OF the above restrictions. (This clause is * necessary due to a potential bad interaction between the GPL and * the restrictions contained in a BSD-style copyright.) * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "pam_geoip.h" void free_locations(struct locations *list) { struct locations *entry; while (list) { entry = list; list = list->next; if (entry->city) free(entry->city); if (entry->country) free(entry->country); free(entry); } } void free_opts(struct options *opts) { if (opts->system_file) free(opts->system_file); if (opts->service_file) free(opts->service_file); if (opts->geoip_db) free(opts->geoip_db); if (opts->language) free(opts->language); free(opts); } PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) { struct options *opts; FILE *fh; char *username; /* username requesting access */ char *rhost; /* remote host */ char *srv; /* PAM service we're running as */ char buf[LINE_LENGTH]; int retval, action; struct locations *geo; const char *gi_type; MMDB_s gi; MMDB_lookup_result_s rec; MMDB_entry_data_s entry_data; int gai_error, mmdb_error; opts = malloc(sizeof(struct options)); if (!opts) { pam_syslog(pamh, LOG_CRIT, "malloc error 'opts': %m"); return PAM_SERVICE_ERR; } opts->debug = 0; opts->action = PAM_PERM_DENIED; opts->system_file = NULL; opts->service_file = NULL; opts->by_service = 0; opts->geoip_db = NULL; opts->is_city_db = 0; opts->language = NULL; geo = malloc(sizeof(struct locations)); if (!geo) { pam_syslog(pamh, LOG_CRIT, "malloc error 'geo': %m"); free_opts(opts); return PAM_SERVICE_ERR; } geo->country = NULL; geo->city = NULL; geo->next = NULL; geo->latitude = 90.0; geo->longitude = 0.0; _parse_args(pamh, argc, argv, opts); if (!opts->system_file) opts->system_file = strdup(SYSTEM_FILE); if (!opts->system_file) { pam_syslog(pamh, LOG_CRIT, "malloc error 'opts->system_file': %m"); free_opts(opts); free_locations(geo); return PAM_SERVICE_ERR; } if (!opts->geoip_db) opts->geoip_db = strdup(GEOIPDB_FILE); if (!opts->geoip_db) { pam_syslog(pamh, LOG_CRIT, "malloc error 'opts->geoip_db': %m"); free_opts(opts); free_locations(geo); return PAM_SERVICE_ERR; } if (!opts->language) opts->language = strdup("en"); if (!opts->language) { pam_syslog(pamh, LOG_CRIT, "malloc error 'opts->language': %m"); free_opts(opts); free_locations(geo); return PAM_SERVICE_ERR; } if (opts->debug) pam_syslog(pamh, LOG_DEBUG, "DB language to be used: %s", opts->language); retval = pam_get_item(pamh, PAM_USER, (void*) &username); if (!username || retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_CRIT, "error recovering username"); free_opts(opts); free_locations(geo); return PAM_SERVICE_ERR; } retval = pam_get_item(pamh, PAM_RHOST, (void*) &rhost); if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_CRIT, "error fetching rhost"); free_opts(opts); free_locations(geo); return PAM_SERVICE_ERR; } if (!rhost) { pam_syslog(pamh, LOG_INFO, "rhost is NULL, allowing"); free_opts(opts); free_locations(geo); return PAM_SUCCESS; } retval = pam_get_item(pamh, PAM_SERVICE, (void*) &srv); if (!srv || retval != PAM_SUCCESS ) { pam_syslog(pamh, LOG_CRIT, "error requesting service name"); free_opts(opts); free_locations(geo); return PAM_SERVICE_ERR; } opts->service_file = malloc(PATH_MAX); if (!opts->service_file) { pam_syslog(pamh, LOG_CRIT, "malloc error 'service_file': %m"); free_opts(opts); free_locations(geo); return PAM_SERVICE_ERR; } if (snprintf(opts->service_file, PATH_MAX-1, SERVICE_FILE, srv) < 0) { pam_syslog(pamh, LOG_CRIT, "snprintf error 'service_file'"); free_opts(opts); free_locations(geo); return PAM_SERVICE_ERR; } retval = MMDB_open(opts->geoip_db, MMDB_MODE_MMAP, &gi); if (retval != MMDB_SUCCESS) { pam_syslog(pamh, LOG_CRIT, "failed to open geoip db (%s - %s): %m", opts->geoip_db, MMDB_strerror(retval)); free_opts(opts); free_locations(geo); return PAM_SERVICE_ERR; } gi_type = gi.metadata.database_type; if (opts->debug) { pam_syslog(pamh, LOG_DEBUG, "GeoIP database type: %s", gi_type); pam_syslog(pamh, LOG_DEBUG, "GeoIP IP version: %d", gi.metadata.ip_version); } if (!gi_type || (!strstr(gi_type, "Country") && !strstr(gi_type, "City"))) { pam_syslog(pamh, LOG_CRIT, "Not a City or Country DB. Reported GeoIP DB type = %s", gi_type); MMDB_close(&gi); free_opts(opts); free_locations(geo); return PAM_SERVICE_ERR; } opts->is_city_db = strstr(gi_type, "City") ? 1 : 0; if (opts->debug) pam_syslog(pamh, LOG_DEBUG, "GeoIP DB is City DB: %s", opts->is_city_db ? "yes" : "no"); rec = MMDB_lookup_string(&gi, rhost, &gai_error, &mmdb_error); if (gai_error || mmdb_error != MMDB_SUCCESS || !rec.found_entry) { pam_syslog(pamh, LOG_INFO, "no record detected for %s, setting GeoIP to 'UNKNOWN,*'", rhost); geo->city = strdup("*"); geo->country = strdup("UNKNOWN"); } else { if (opts->is_city_db) { retval = MMDB_get_value(&rec.entry, &entry_data, "city", "names", opts->language, NULL); if (retval == MMDB_SUCCESS && entry_data.has_data && entry_data.type == MMDB_DATA_TYPE_UTF8_STRING && entry_data.data_size > 0) geo->city = strndup(entry_data.utf8_string, entry_data.data_size); else geo->city = strdup("*"); retval = MMDB_get_value(&rec.entry, &entry_data, "location", "latitude", NULL); if (retval == MMDB_SUCCESS && entry_data.has_data && entry_data.type == MMDB_DATA_TYPE_DOUBLE) geo->latitude = entry_data.double_value; retval = MMDB_get_value(&rec.entry, &entry_data, "location", "longitude", NULL); if (retval == MMDB_SUCCESS && entry_data.has_data && entry_data.type == MMDB_DATA_TYPE_DOUBLE) geo->longitude = entry_data.double_value; } else geo->city = strdup("*"); retval = MMDB_get_value(&rec.entry, &entry_data, "country", "iso_code", NULL); if (retval == MMDB_SUCCESS && entry_data.has_data && entry_data.type == MMDB_DATA_TYPE_UTF8_STRING && entry_data.data_size > 0) geo->country = strndup(entry_data.utf8_string, entry_data.data_size); else geo->country = strdup("UNKNOWN"); } MMDB_close(&gi); if (!geo->city || !geo->country) { pam_syslog(pamh, LOG_CRIT, "malloc error 'geo->{city,country}': %m"); free_opts(opts); free_locations(geo); return PAM_SERVICE_ERR; } if (opts->debug) { pam_syslog(pamh, LOG_DEBUG, "GeoIP record for %s: %s,%s", rhost, geo->country, geo->city); if (strcmp(geo->country, "UNKNOWN") && opts->is_city_db) pam_syslog(pamh, LOG_DEBUG, "GeoIP coordinates for %s: %f,%f", rhost, geo->latitude, geo->longitude); } if ((fh = fopen(opts->service_file, "r")) != NULL) { opts->by_service = 1; if (opts->debug) pam_syslog(pamh, LOG_DEBUG, "using services file %s", opts->service_file); } else if ((fh = fopen(opts->system_file, "r")) == NULL) { pam_syslog(pamh, LOG_CRIT, "error opening %s: %m", opts->system_file); free_opts(opts); free_locations(geo); return PAM_SERVICE_ERR; } action = opts->action; char location[LINE_LENGTH]; while (fgets(buf, LINE_LENGTH, fh) != NULL) { char *line, *ptr; char domain[LINE_LENGTH], service[LINE_LENGTH]; action = opts->action; line = buf; while (*line && isspace(*line)) ++line; /* skip the leading white space */ ptr = strchr(line,'#'); if (ptr) *ptr = 0; /* Rip off the comments */ ptr = strchr(line,'\n'); if (ptr) *ptr = 0; /* Rip off the newline char */ if (!line[0]) continue; /* Anything left ? */ action = parse_conf_line(pamh, line, domain, opts->by_service ? NULL : service, location); if (action < 0) { /* parsing failed */ action = opts->action; continue; } if (!opts->by_service && !check_service(pamh, service, srv)) continue; if (!strcmp(domain, "*") || !strcmp(username, domain)) { if (check_location(pamh, opts, location, geo)) break; } else if (domain[0] == '@' && pam_modutil_user_in_group_nam_nam(pamh, username, domain+1) && check_location(pamh, opts, location, geo)) break; } fclose(fh); free_locations(geo); free_opts(opts); switch (action) { case PAM_SUCCESS: pam_syslog(pamh, LOG_DEBUG, "location %s allowed for user %s from %s", location, username, rhost); break; case PAM_PERM_DENIED: pam_syslog(pamh, LOG_DEBUG, "location %s denied for user %s from %s", location, username, rhost); break; case PAM_IGNORE: pam_syslog(pamh, LOG_DEBUG, "location %s ignored for user %s from %s", location, username, rhost); break; default: /* should not happen */ pam_syslog(pamh, LOG_DEBUG, "location status: %d for user %s from %s", action, username, rhost); break; }; return action; } /* * vim: ts=4 sw=4 expandtab */ pam_geoip-2.1.1/pam_geoip.h000066400000000000000000000042561343224526600156020ustar00rootroot00000000000000/* * pam_geoip.h - account module to check GeoIP information * * $Id$ * */ #ifndef _PAM_GEOIP_H #define _PAM_GEOIP_H #define _GNU_SOURCE #define _DEFAULT_SOURCE #include #include #include #include #include #include #include #include #include #include #include /* pam_modutil_user_in_group_nam_nam() */ #include /* pam_syslog() */ #include #define PAM_SM_ACCOUNT #include #define LINE_LENGTH 4095 #ifndef PATH_MAX # define PATH_MAX 1024 #endif /* PATH_MAX */ #ifndef LANG_MAX # define LANG_MAX 128 #endif /* LANG_MAX */ #define SYSTEM_FILE "/etc/security/geoip.conf" #define SERVICE_FILE "/etc/security/geoip.%s.conf" #define GEOIPDB_FILE "/usr/share/GeoIP/GeoLite2-City.mmdb" /* GeoIP locations in geoip.conf */ struct locations { char *country; char *city; double latitude; double longitude; float radius; /* in km */ struct locations *next; }; /* options set on "command line" in /etc/pam.d/ */ struct options { char *system_file; char *geoip_db; char *service_file; /* not on cmd line */ int by_service; /* if service_file can be opened this is true */ int action; int is_city_db; int debug; char *language; }; extern struct locations *parse_locations(pam_handle_t *pamh, struct options *opts, char *location_string); extern void free_locations(struct locations *list); extern void free_opts(struct options *opts); extern int parse_action(pam_handle_t *pamh, char *name); extern int parse_conf_line(pam_handle_t *pamh, char *line, char *domain, char *service, char *location); extern int check_service(pam_handle_t *pamh, char *services, char *srv); extern double calc_distance(double latitude, double longitude, double geo_lat, double geo_long); extern int check_location(pam_handle_t *pamh, struct options *opts, char *location_string, struct locations *geo); extern void _parse_args(pam_handle_t *pamh, int argc, const char **argv, struct options *opts); #endif /* _PAM_GEOIP_H */ /* * vim: ts=4 sw=4 expandtab */ pam_geoip-2.1.1/parse.c000066400000000000000000000075511343224526600147500ustar00rootroot00000000000000/* * parse.c - account module to check GeoIP information * * $Id$ * */ #include "pam_geoip.h" struct locations *parse_locations(pam_handle_t *pamh, struct options *opts, char *location_string) { float radius; double latitude, longitude; struct locations *entry, *walker, *list; char *country, *city, *single, *end, *next; char *string = strdup(location_string ? location_string : ""); if (!string) { pam_syslog(pamh, LOG_CRIT, "failed to strdup: %m"); return NULL; } entry = walker = list = NULL; single = string; while (*single) { if (isspace(*single)) { ++single; continue; } country = NULL; city = NULL; end = single; while (*end && *end != ';') ++end; if (*end) next = end + 1; else next = end; *end-- = 0; while (isspace(*end)) *end-- = 0; if (!single[0]) { single = next; continue; } if (sscanf(single, "%f { %lf , %lf }", &radius, &latitude, &longitude) == 3) { if (fabs(latitude) > 90.0 || fabs(longitude) > 180.0) { pam_syslog(pamh, LOG_WARNING, "illegal value(s) in LAT/LONG: %f, %f", latitude, longitude); single = next; continue; } } else { country = single; while (*single && *single != ',') ++single; /* single is now at the end of country */ if (*single) city = single + 1; else city = "*"; *single-- = 0; while (isspace(*single)) *single-- = 0; if (!country[0]) country = "*"; while (isspace(*city)) ++city; if (!city[0]) city = "*"; } single = next; entry = malloc(sizeof(struct locations)); if (!entry) { pam_syslog(pamh, LOG_CRIT, "failed to malloc: %m"); free(string); return NULL; } entry->next = NULL; if (!country) { entry->radius = radius; entry->longitude = longitude; entry->latitude = latitude; entry->country = NULL; entry->city = NULL; } else { entry->country = strdup(country); if (!entry->country) { pam_syslog(pamh, LOG_CRIT, "failed to malloc: %m"); free(entry); free(string); return NULL; } entry->city = strdup(city); if (!entry->city) { pam_syslog(pamh, LOG_CRIT, "failed to malloc: %m"); free(entry->country); free(entry); free(string); return NULL; } } if (!list) list = entry; else walker->next = entry; walker = entry; } free(string); return list; } int parse_action(pam_handle_t *pamh, char *name) { int action = -1; if (!strcmp(name, "deny")) action = PAM_PERM_DENIED; else if (!strcmp(name, "allow")) action = PAM_SUCCESS; else if (!strcmp(name, "ignore")) action = PAM_IGNORE; else pam_syslog(pamh, LOG_WARNING, "invalid action '%s' - skipped", name); return action; } int parse_conf_line(pam_handle_t *pamh, char *line, char *domain, char *service, char *location) { char *str; char action[LINE_LENGTH+1]; if ((service && sscanf(line, "%s %s %s %[^\n]", domain, service, action, location) != 4) || (!service && sscanf(line, "%s %s %[^\n]", domain, action, location) != 3) ) { pam_syslog(pamh, LOG_WARNING, "invalid line '%s' - skipped", line); return -1; } /* remove white space from the end */ str = location + strlen(location) - 1; while (isspace(*str)) *str-- = 0; return parse_action(pamh, action); } /* * vim: ts=4 sw=4 expandtab */