11eaf0ac3Slogwang.\" Copyright (c) 1995 David Nugent <[email protected]> 21eaf0ac3Slogwang.\" All rights reserved. 31eaf0ac3Slogwang.\" 41eaf0ac3Slogwang.\" Redistribution and use in source and binary forms, with or without 51eaf0ac3Slogwang.\" modification, is permitted provided that the following conditions 61eaf0ac3Slogwang.\" are met: 71eaf0ac3Slogwang.\" 1. Redistributions of source code must retain the above copyright 81eaf0ac3Slogwang.\" notice immediately at the beginning of the file, without modification, 91eaf0ac3Slogwang.\" this list of conditions, and the following disclaimer. 101eaf0ac3Slogwang.\" 2. Redistributions in binary form must reproduce the above copyright 111eaf0ac3Slogwang.\" notice, this list of conditions and the following disclaimer in the 121eaf0ac3Slogwang.\" documentation and/or other materials provided with the distribution. 131eaf0ac3Slogwang.\" 3. This work was done expressly for inclusion into FreeBSD. Other use 141eaf0ac3Slogwang.\" is permitted provided this notation is included. 151eaf0ac3Slogwang.\" 4. Absolutely no warranty of function or purpose is made by the author 161eaf0ac3Slogwang.\" David Nugent. 171eaf0ac3Slogwang.\" 5. Modifications may be freely made to this file providing the above 181eaf0ac3Slogwang.\" conditions are met. 191eaf0ac3Slogwang.\" 201eaf0ac3Slogwang.\" $FreeBSD$ 211eaf0ac3Slogwang.\" 22*22ce4affSfengbojiang.Dd May 10, 2020 231eaf0ac3Slogwang.Dt LOGIN_OK 3 241eaf0ac3Slogwang.Os 251eaf0ac3Slogwang.Sh NAME 261eaf0ac3Slogwang.Nm auth_ttyok , 271eaf0ac3Slogwang.Nm auth_hostok , 281eaf0ac3Slogwang.Nm auth_timeok 291eaf0ac3Slogwang.Nd functions for checking login class based login restrictions 301eaf0ac3Slogwang.Sh LIBRARY 311eaf0ac3Slogwang.Lb libutil 321eaf0ac3Slogwang.Sh SYNOPSIS 331eaf0ac3Slogwang.In sys/types.h 341eaf0ac3Slogwang.In time.h 351eaf0ac3Slogwang.In login_cap.h 361eaf0ac3Slogwang.Ft int 371eaf0ac3Slogwang.Fn auth_ttyok "login_cap_t *lc" "const char *tty" 381eaf0ac3Slogwang.Ft int 391eaf0ac3Slogwang.Fn auth_hostok "login_cap_t *lc" "const char *host" "char const *ip" 401eaf0ac3Slogwang.Ft int 411eaf0ac3Slogwang.Fn auth_timeok "login_cap_t *lc" "time_t t" 421eaf0ac3Slogwang.Sh DESCRIPTION 431eaf0ac3SlogwangThis set of functions checks to see if login is allowed based on login 441eaf0ac3Slogwangclass capability entries in the login database, 451eaf0ac3Slogwang.Xr login.conf 5 . 461eaf0ac3Slogwang.Pp 471eaf0ac3SlogwangThe 481eaf0ac3Slogwang.Fn auth_ttyok 491eaf0ac3Slogwangfunction checks to see if the named tty is available to users of a specific 501eaf0ac3Slogwangclass, and is either in the 511eaf0ac3Slogwang.Em ttys.allow 521eaf0ac3Slogwangaccess list, and not in 531eaf0ac3Slogwangthe 541eaf0ac3Slogwang.Em ttys.deny 551eaf0ac3Slogwangaccess list. 561eaf0ac3SlogwangAn empty 571eaf0ac3Slogwang.Em ttys.allow 581eaf0ac3Slogwanglist (or if no such capability exists for 591eaf0ac3Slogwangthe given login class) logins via any tty device are allowed unless 601eaf0ac3Slogwangthe 611eaf0ac3Slogwang.Em ttys.deny 621eaf0ac3Slogwanglist exists and is non-empty, and the device or its 631eaf0ac3Slogwangtty group (see 641eaf0ac3Slogwang.Xr ttys 5 ) 651eaf0ac3Slogwangis not in the list. 661eaf0ac3SlogwangAccess to ttys may be allowed or restricted specifically by tty device 671eaf0ac3Slogwangname, a device name which includes a wildcard (e.g.\& ttyD* or cuaD*), 681eaf0ac3Slogwangor may name a ttygroup, when group=<name> tags have been assigned in 691eaf0ac3Slogwang.Pa /etc/ttys . 701eaf0ac3SlogwangMatching of ttys and ttygroups is case sensitive. 711eaf0ac3SlogwangPassing a 721eaf0ac3Slogwang.Dv NULL 731eaf0ac3Slogwangor empty string as the 741eaf0ac3Slogwang.Ar tty 751eaf0ac3Slogwangparameter causes the function to return a non-zero value. 761eaf0ac3Slogwang.Pp 771eaf0ac3SlogwangThe 781eaf0ac3Slogwang.Fn auth_hostok 791eaf0ac3Slogwangfunction checks for any host restrictions for remote logins. 801eaf0ac3SlogwangThe function checks on both a host name and IP address (given in its 811eaf0ac3Slogwangtext form, typically n.n.n.n) against the 821eaf0ac3Slogwang.Em host.allow 831eaf0ac3Slogwangand 841eaf0ac3Slogwang.Em host.deny 851eaf0ac3Slogwanglogin class capabilities. 861eaf0ac3SlogwangAs with ttys and their groups, wildcards and character classes may be 871eaf0ac3Slogwangused in the host allow and deny capability records. 881eaf0ac3SlogwangThe 891eaf0ac3Slogwang.Xr fnmatch 3 901eaf0ac3Slogwangfunction is used for matching, and the matching on hostnames is case 911eaf0ac3Slogwanginsensitive. 921eaf0ac3SlogwangNote that this function expects that the hostname is fully expanded 931eaf0ac3Slogwang(i.e., the local domain name added if necessary) and the IP address 941eaf0ac3Slogwangis in its canonical form. 951eaf0ac3SlogwangNo hostname or address lookups are attempted. 961eaf0ac3Slogwang.Pp 971eaf0ac3SlogwangIt is possible to call this function with either the hostname or 981eaf0ac3Slogwangthe IP address missing (i.e.\& 991eaf0ac3Slogwang.Dv NULL ) 1001eaf0ac3Slogwangand matching will be performed 1011eaf0ac3Slogwangonly on the basis of the parameter given. 1021eaf0ac3SlogwangPassing 1031eaf0ac3Slogwang.Dv NULL 1041eaf0ac3Slogwangor empty strings in both parameters will result in 1051eaf0ac3Slogwanga non-zero return value. 1061eaf0ac3Slogwang.Pp 1071eaf0ac3SlogwangThe 1081eaf0ac3Slogwang.Fn auth_timeok 1091eaf0ac3Slogwangfunction checks to see that a given time value is within the 1101eaf0ac3Slogwang.Em times.allow 1111eaf0ac3Slogwanglogin class capability and not within the 1121eaf0ac3Slogwang.Em times.deny 1131eaf0ac3Slogwangaccess lists. 1141eaf0ac3SlogwangAn empty or non-existent 1151eaf0ac3Slogwang.Em times.allow 1161eaf0ac3Slogwanglist allows access at any 1171eaf0ac3Slogwangtime, except if a given time is falls within a period in the 1181eaf0ac3Slogwang.Em times.deny 1191eaf0ac3Slogwanglist. 1201eaf0ac3SlogwangThe format of time period records contained in both 1211eaf0ac3Slogwang.Em times.allow 1221eaf0ac3Slogwangand 1231eaf0ac3Slogwang.Em times.deny 1241eaf0ac3Slogwangcapability fields is explained in detail in the 1251eaf0ac3Slogwang.Xr login_times 3 1261eaf0ac3Slogwangmanual page. 1271eaf0ac3Slogwang.Sh RETURN VALUES 1281eaf0ac3SlogwangA non-zero return value from any of these functions indicates that 1291eaf0ac3Slogwanglogin access is granted. 1301eaf0ac3SlogwangA zero return value means either that the item being tested is not 1311eaf0ac3Slogwangin the 1321eaf0ac3Slogwang.Em allow 1331eaf0ac3Slogwangaccess list, or is within the 1341eaf0ac3Slogwang.Em deny 1351eaf0ac3Slogwangaccess list. 1361eaf0ac3Slogwang.Sh SEE ALSO 1371eaf0ac3Slogwang.Xr getcap 3 , 1381eaf0ac3Slogwang.Xr login_cap 3 , 1391eaf0ac3Slogwang.Xr login_class 3 , 1401eaf0ac3Slogwang.Xr login_times 3 , 1411eaf0ac3Slogwang.Xr login.conf 5 , 1421eaf0ac3Slogwang.Xr termcap 5 143*22ce4affSfengbojiang.Sh HISTORY 144*22ce4affSfengbojiangThe functions 145*22ce4affSfengbojiang.Fn auth_ttyok , 146*22ce4affSfengbojiang.Fn auth_hostok 147*22ce4affSfengbojiang and 148*22ce4affSfengbojiang.Fn auth_timeok 149*22ce4affSfengbojiangfunctions first appeared in 150*22ce4affSfengbojiang.Fx 2.1.5 . 151