xref: /freebsd/lib/libutil/login_ok.3 (revision 32e43d391c46b7f79ca882a0c997fb62c72dbacf) 
1.\" Copyright (c) 1995 David Nugent <davidn@blaze.net.au>
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, is permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice immediately at the beginning of the file, without modification,
9.\"    this list of conditions, and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\" 3. This work was done expressly for inclusion into FreeBSD.  Other use
14.\"    is permitted provided this notation is included.
15.\" 4. Absolutely no warranty of function or purpose is made by the author
16.\"    David Nugent.
17.\" 5. Modifications may be freely made to this file providing the above
18.\"    conditions are met.
19.\"
20.\" $Id: login_ok.3,v 1.1 1997/01/04 16:50:07 davidn Exp $
21.\"
22.Dd January 2, 1997
23.Os FreeBSD
24.Dt LOGIN_OK 3
25.Sh NAME
26.Nm auth_ttyok
27.Nm auth_hostok
28.Nm auth_timeok
29.Nd Functions for checking login class based login restrictions
30.Sh SYNOPSIS
31.Fd #include <sys/types.h>
32.Fd #include <time.h>
33.Fd #include <login_cap.h>
34.Ft int
35.Fn auth_ttyok "login_cap_t *lc" "const char *tty"
36.Ft int
37.Fn auth_hostok "login_cap_t *lc" "const char *host" "char const *ip"
38.Ft int
39.Fn auth_timeok "login_cap_t *lc" "time_t t"
40.Sh DESCRIPTION
41This set of functions checks to see if login is allowed based on login
42class capability entries in the login database,
43.Xr login.conf 5 .
44.Pp
45.Fn auth_ttyok
46checks to see if the named tty is available to users of a specific
47class, and is either in the
48.Em ttys.allow
49access list, and not in
50the
51.Em ttys.deny
52access list.
53An empty
54.Em ttys.allow
55list (or if no such capability exists for
56the give login class) logins via any tty device are allowed unless
57the
58.Em ttys.deny
59list exists and is non-empty, and the device or its
60tty group (see
61.Xr ttys 5 )
62is not in the list.
63Access to ttys may be allowed or restricted specifically by tty device
64name, a device name which includes a wildcard (e.g. ttyD* or cuaD*),
65or may name a ttygroup, when group=<name> tags have been assigned in
66.Pa /etc/ttys .
67Matching of ttys and ttygroups is case sensitive.
68Passing a
69.Dv NULL
70or empty string as the
71.Ar tty
72parameter causes the function to return a non-zero value.
73.Pp
74.Fn auth_hostok
75checks for any host restrictions for remote logins.
76The function checks on both a host name and IP address (given in its
77text form, typically n.n.n.n) against the
78.Em host.allow
79and
80.Em host.deny
81login class capabilities.
82As with ttys and their groups, wildcards and character classes may be
83used in the host allow and deny capability records.
84The
85.Xr fnmatch 3
86function is used for matching, and the matching on hostnames is case
87insensitive.
88Note that this function expects that the hostname is fully expanded
89(i.e. the local domain name added if necessary) and the IP address
90is in its canonical form.
91No hostname or address lookups are attempted.
92.Pp
93It is possible to call this function with either the hostname or
94the IP address missing (i.e.
95.Dv NULL )
96and matching will be performed
97only on the basis of the parameter given.
98Passing
99.Dv NULL
100or empty strings in both parameters will result in
101a non-zero return value.
102.Pp
103The
104.Fn auth_timeok
105function checks to see that a given time value is within the
106.Em times.allow
107login class capability and not within the
108.Em times.deny
109access lists.
110An empty or non-existent
111.Em times.allow
112list allows access at any
113time, except if a given time is falls within a period in the
114.Em times.deny
115list.
116The format of time period records contained in both
117.Em times.allow
118and
119.Em times.deny
120capability fields is explained in detail in the
121.Xr login_times 3
122manual page.
123.Sh RETURN VALUES
124A non-zero return value from any of these functions indicates that
125login access is granted.
126A zero return value means either that the item being tested is not
127in the
128.Em allow
129access list, or is within the
130.Em deny
131access list.
132.Sh SEE ALSO
133.Xr getcap 3 ,
134.Xr login_cap 3 ,
135.Xr login_class 3 ,
136.Xr login_times 3 ,
137.Xr login.conf 5 ,
138.Xr termcap 5
139