xref: /freebsd/lib/libutil/login_ok.3 (revision 3dc329d1be00b8b4ba4a45886b6374289daa8ab0) 
1.\" Copyright (c) 1995 David Nugent <davidn@blaze.net.au>
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, is permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice immediately at the beginning of the file, without modification,
9.\"    this list of conditions, and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\" 3. This work was done expressly for inclusion into FreeBSD.  Other use
14.\"    is permitted provided this notation is included.
15.\" 4. Absolutely no warranty of function or purpose is made by the author
16.\"    David Nugent.
17.\" 5. Modifications may be freely made to this file providing the above
18.\"    conditions are met.
19.\"
20.\" $FreeBSD$
21.\"
22.Dd January 2, 1997
23.Os FreeBSD
24.Dt LOGIN_OK 3
25.Sh NAME
26.Nm auth_ttyok ,
27.Nm auth_hostok ,
28.Nm auth_timeok
29.Nd functions for checking login class based login restrictions
30.Sh LIBRARY
31.Lb libutil
32.Sh SYNOPSIS
33.Fd #include <sys/types.h>
34.Fd #include <time.h>
35.Fd #include <login_cap.h>
36.Ft int
37.Fn auth_ttyok "login_cap_t *lc" "const char *tty"
38.Ft int
39.Fn auth_hostok "login_cap_t *lc" "const char *host" "char const *ip"
40.Ft int
41.Fn auth_timeok "login_cap_t *lc" "time_t t"
42.Sh DESCRIPTION
43This set of functions checks to see if login is allowed based on login
44class capability entries in the login database,
45.Xr login.conf 5 .
46.Pp
47.Fn auth_ttyok
48checks to see if the named tty is available to users of a specific
49class, and is either in the
50.Em ttys.allow
51access list, and not in
52the
53.Em ttys.deny
54access list.
55An empty
56.Em ttys.allow
57list (or if no such capability exists for
58the give login class) logins via any tty device are allowed unless
59the
60.Em ttys.deny
61list exists and is non-empty, and the device or its
62tty group (see
63.Xr ttys 5 )
64is not in the list.
65Access to ttys may be allowed or restricted specifically by tty device
66name, a device name which includes a wildcard (e.g. ttyD* or cuaD*),
67or may name a ttygroup, when group=<name> tags have been assigned in
68.Pa /etc/ttys .
69Matching of ttys and ttygroups is case sensitive.
70Passing a
71.Dv NULL
72or empty string as the
73.Ar tty
74parameter causes the function to return a non-zero value.
75.Pp
76.Fn auth_hostok
77checks for any host restrictions for remote logins.
78The function checks on both a host name and IP address (given in its
79text form, typically n.n.n.n) against the
80.Em host.allow
81and
82.Em host.deny
83login class capabilities.
84As with ttys and their groups, wildcards and character classes may be
85used in the host allow and deny capability records.
86The
87.Xr fnmatch 3
88function is used for matching, and the matching on hostnames is case
89insensitive.
90Note that this function expects that the hostname is fully expanded
91(i.e. the local domain name added if necessary) and the IP address
92is in its canonical form.
93No hostname or address lookups are attempted.
94.Pp
95It is possible to call this function with either the hostname or
96the IP address missing (i.e.
97.Dv NULL )
98and matching will be performed
99only on the basis of the parameter given.
100Passing
101.Dv NULL
102or empty strings in both parameters will result in
103a non-zero return value.
104.Pp
105The
106.Fn auth_timeok
107function checks to see that a given time value is within the
108.Em times.allow
109login class capability and not within the
110.Em times.deny
111access lists.
112An empty or non-existent
113.Em times.allow
114list allows access at any
115time, except if a given time is falls within a period in the
116.Em times.deny
117list.
118The format of time period records contained in both
119.Em times.allow
120and
121.Em times.deny
122capability fields is explained in detail in the
123.Xr login_times 3
124manual page.
125.Sh RETURN VALUES
126A non-zero return value from any of these functions indicates that
127login access is granted.
128A zero return value means either that the item being tested is not
129in the
130.Em allow
131access list, or is within the
132.Em deny
133access list.
134.Sh SEE ALSO
135.Xr getcap 3 ,
136.Xr login_cap 3 ,
137.Xr login_class 3 ,
138.Xr login_times 3 ,
139.Xr login.conf 5 ,
140.Xr termcap 5
141