168bbf3adSDavid Nugent.\" Copyright (c) 1995 David Nugent <davidn@blaze.net.au> 268bbf3adSDavid Nugent.\" All rights reserved. 368bbf3adSDavid Nugent.\" 468bbf3adSDavid Nugent.\" Redistribution and use in source and binary forms, with or without 568bbf3adSDavid Nugent.\" modification, is permitted provided that the following conditions 668bbf3adSDavid Nugent.\" are met: 768bbf3adSDavid Nugent.\" 1. Redistributions of source code must retain the above copyright 868bbf3adSDavid Nugent.\" notice immediately at the beginning of the file, without modification, 968bbf3adSDavid Nugent.\" this list of conditions, and the following disclaimer. 1068bbf3adSDavid Nugent.\" 2. Redistributions in binary form must reproduce the above copyright 1168bbf3adSDavid Nugent.\" notice, this list of conditions and the following disclaimer in the 1268bbf3adSDavid Nugent.\" documentation and/or other materials provided with the distribution. 1368bbf3adSDavid Nugent.\" 3. This work was done expressly for inclusion into FreeBSD. Other use 1468bbf3adSDavid Nugent.\" is permitted provided this notation is included. 1568bbf3adSDavid Nugent.\" 4. Absolutely no warranty of function or purpose is made by the author 1668bbf3adSDavid Nugent.\" David Nugent. 1768bbf3adSDavid Nugent.\" 5. Modifications may be freely made to this file providing the above 1868bbf3adSDavid Nugent.\" conditions are met. 1968bbf3adSDavid Nugent.\" 20*bc89b58dSGordon Bergling.Dd May 10, 2020 2168bbf3adSDavid Nugent.Dt LOGIN_OK 3 22aa12cea2SUlrich Spörlein.Os 2368bbf3adSDavid Nugent.Sh NAME 243a049969SAlexey Zelkin.Nm auth_ttyok , 253a049969SAlexey Zelkin.Nm auth_hostok , 2668bbf3adSDavid Nugent.Nm auth_timeok 273a049969SAlexey Zelkin.Nd functions for checking login class based login restrictions 283dc329d1SAlexey Zelkin.Sh LIBRARY 293dc329d1SAlexey Zelkin.Lb libutil 3068bbf3adSDavid Nugent.Sh SYNOPSIS 3132eef9aeSRuslan Ermilov.In sys/types.h 3232eef9aeSRuslan Ermilov.In time.h 3332eef9aeSRuslan Ermilov.In login_cap.h 3468bbf3adSDavid Nugent.Ft int 3568bbf3adSDavid Nugent.Fn auth_ttyok "login_cap_t *lc" "const char *tty" 3668bbf3adSDavid Nugent.Ft int 3768bbf3adSDavid Nugent.Fn auth_hostok "login_cap_t *lc" "const char *host" "char const *ip" 3868bbf3adSDavid Nugent.Ft int 3968bbf3adSDavid Nugent.Fn auth_timeok "login_cap_t *lc" "time_t t" 4068bbf3adSDavid Nugent.Sh DESCRIPTION 4168bbf3adSDavid NugentThis set of functions checks to see if login is allowed based on login 4268bbf3adSDavid Nugentclass capability entries in the login database, 4368bbf3adSDavid Nugent.Xr login.conf 5 . 4468bbf3adSDavid Nugent.Pp 450552350eSPhilippe CharnierThe 4668bbf3adSDavid Nugent.Fn auth_ttyok 470552350eSPhilippe Charnierfunction checks to see if the named tty is available to users of a specific 4832e43d39SMike Pritchardclass, and is either in the 4932e43d39SMike Pritchard.Em ttys.allow 5032e43d39SMike Pritchardaccess list, and not in 5132e43d39SMike Pritchardthe 5232e43d39SMike Pritchard.Em ttys.deny 5332e43d39SMike Pritchardaccess list. 5432e43d39SMike PritchardAn empty 5532e43d39SMike Pritchard.Em ttys.allow 5632e43d39SMike Pritchardlist (or if no such capability exists for 57d3dc0c9dSTom Rhodesthe given login class) logins via any tty device are allowed unless 5832e43d39SMike Pritchardthe 5932e43d39SMike Pritchard.Em ttys.deny 6032e43d39SMike Pritchardlist exists and is non-empty, and the device or its 6168bbf3adSDavid Nugenttty group (see 6268bbf3adSDavid Nugent.Xr ttys 5 ) 6368bbf3adSDavid Nugentis not in the list. 6468bbf3adSDavid NugentAccess to ttys may be allowed or restricted specifically by tty device 651a0a9345SRuslan Ermilovname, a device name which includes a wildcard (e.g.\& ttyD* or cuaD*), 6668bbf3adSDavid Nugentor may name a ttygroup, when group=<name> tags have been assigned in 6768bbf3adSDavid Nugent.Pa /etc/ttys . 6868bbf3adSDavid NugentMatching of ttys and ttygroups is case sensitive. 6932e43d39SMike PritchardPassing a 7032e43d39SMike Pritchard.Dv NULL 7132e43d39SMike Pritchardor empty string as the 7268bbf3adSDavid Nugent.Ar tty 7368bbf3adSDavid Nugentparameter causes the function to return a non-zero value. 7468bbf3adSDavid Nugent.Pp 750552350eSPhilippe CharnierThe 7668bbf3adSDavid Nugent.Fn auth_hostok 770552350eSPhilippe Charnierfunction checks for any host restrictions for remote logins. 7868bbf3adSDavid NugentThe function checks on both a host name and IP address (given in its 7932e43d39SMike Pritchardtext form, typically n.n.n.n) against the 8032e43d39SMike Pritchard.Em host.allow 8132e43d39SMike Pritchardand 8232e43d39SMike Pritchard.Em host.deny 8368bbf3adSDavid Nugentlogin class capabilities. 8468bbf3adSDavid NugentAs with ttys and their groups, wildcards and character classes may be 8568bbf3adSDavid Nugentused in the host allow and deny capability records. 8668bbf3adSDavid NugentThe 8768bbf3adSDavid Nugent.Xr fnmatch 3 8868bbf3adSDavid Nugentfunction is used for matching, and the matching on hostnames is case 8968bbf3adSDavid Nugentinsensitive. 9068bbf3adSDavid NugentNote that this function expects that the hostname is fully expanded 911a0a9345SRuslan Ermilov(i.e., the local domain name added if necessary) and the IP address 9268bbf3adSDavid Nugentis in its canonical form. 9368bbf3adSDavid NugentNo hostname or address lookups are attempted. 9468bbf3adSDavid Nugent.Pp 9568bbf3adSDavid NugentIt is possible to call this function with either the hostname or 9657e4378bSRuslan Ermilovthe IP address missing (i.e.\& 9732e43d39SMike Pritchard.Dv NULL ) 9832e43d39SMike Pritchardand matching will be performed 9968bbf3adSDavid Nugentonly on the basis of the parameter given. 10032e43d39SMike PritchardPassing 10132e43d39SMike Pritchard.Dv NULL 10232e43d39SMike Pritchardor empty strings in both parameters will result in 10368bbf3adSDavid Nugenta non-zero return value. 10468bbf3adSDavid Nugent.Pp 10568bbf3adSDavid NugentThe 10668bbf3adSDavid Nugent.Fn auth_timeok 10768bbf3adSDavid Nugentfunction checks to see that a given time value is within the 10832e43d39SMike Pritchard.Em times.allow 10932e43d39SMike Pritchardlogin class capability and not within the 11032e43d39SMike Pritchard.Em times.deny 11132e43d39SMike Pritchardaccess lists. 11232e43d39SMike PritchardAn empty or non-existent 11332e43d39SMike Pritchard.Em times.allow 11432e43d39SMike Pritchardlist allows access at any 11568bbf3adSDavid Nugenttime, except if a given time is falls within a period in the 11632e43d39SMike Pritchard.Em times.deny 11732e43d39SMike Pritchardlist. 11832e43d39SMike PritchardThe format of time period records contained in both 11932e43d39SMike Pritchard.Em times.allow 12032e43d39SMike Pritchardand 12132e43d39SMike Pritchard.Em times.deny 12232e43d39SMike Pritchardcapability fields is explained in detail in the 12368bbf3adSDavid Nugent.Xr login_times 3 12468bbf3adSDavid Nugentmanual page. 12568bbf3adSDavid Nugent.Sh RETURN VALUES 12668bbf3adSDavid NugentA non-zero return value from any of these functions indicates that 12768bbf3adSDavid Nugentlogin access is granted. 12868bbf3adSDavid NugentA zero return value means either that the item being tested is not 12932e43d39SMike Pritchardin the 13032e43d39SMike Pritchard.Em allow 13132e43d39SMike Pritchardaccess list, or is within the 13232e43d39SMike Pritchard.Em deny 13332e43d39SMike Pritchardaccess list. 13468bbf3adSDavid Nugent.Sh SEE ALSO 13532e43d39SMike Pritchard.Xr getcap 3 , 13668bbf3adSDavid Nugent.Xr login_cap 3 , 13768bbf3adSDavid Nugent.Xr login_class 3 , 13868bbf3adSDavid Nugent.Xr login_times 3 , 13932e43d39SMike Pritchard.Xr login.conf 5 , 14032e43d39SMike Pritchard.Xr termcap 5 141*bc89b58dSGordon Bergling.Sh HISTORY 142*bc89b58dSGordon BerglingThe functions 143*bc89b58dSGordon Bergling.Fn auth_ttyok , 144*bc89b58dSGordon Bergling.Fn auth_hostok 145*bc89b58dSGordon Bergling and 146*bc89b58dSGordon Bergling.Fn auth_timeok 147*bc89b58dSGordon Berglingfunctions first appeared in 148*bc89b58dSGordon Bergling.Fx 2.1.5 . 149