1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
.\" Copyright (c) 1995 David Nugent <davidn@blaze.net.au>
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, is permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice immediately at the beginning of the file, without modification,
.\" this list of conditions, and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. This work was done expressly for inclusion into FreeBSD. Other use
.\" is permitted provided this notation is included.
.\" 4. Absolutely no warranty of function or purpose is made by the author
.\" David Nugent.
.\" 5. Modifications may be freely made to this file providing the above
.\" conditions are met.
.\"
.\" $FreeBSD$
.\"
.Dd January 2, 1997
.Os FreeBSD
.Dt LOGIN_OK 3
.Sh NAME
.Nm auth_ttyok
.Nm auth_hostok
.Nm auth_timeok
.Nd Functions for checking login class based login restrictions
.Sh SYNOPSIS
.Fd #include <sys/types.h>
.Fd #include <time.h>
.Fd #include <login_cap.h>
.Ft int
.Fn auth_ttyok "login_cap_t *lc" "const char *tty"
.Ft int
.Fn auth_hostok "login_cap_t *lc" "const char *host" "char const *ip"
.Ft int
.Fn auth_timeok "login_cap_t *lc" "time_t t"
.Sh DESCRIPTION
This set of functions checks to see if login is allowed based on login
class capability entries in the login database,
.Xr login.conf 5 .
.Pp
.Fn auth_ttyok
checks to see if the named tty is available to users of a specific
class, and is either in the
.Em ttys.allow
access list, and not in
the
.Em ttys.deny
access list.
An empty
.Em ttys.allow
list (or if no such capability exists for
the give login class) logins via any tty device are allowed unless
the
.Em ttys.deny
list exists and is non-empty, and the device or its
tty group (see
.Xr ttys 5 )
is not in the list.
Access to ttys may be allowed or restricted specifically by tty device
name, a device name which includes a wildcard (e.g. ttyD* or cuaD*),
or may name a ttygroup, when group=<name> tags have been assigned in
.Pa /etc/ttys .
Matching of ttys and ttygroups is case sensitive.
Passing a
.Dv NULL
or empty string as the
.Ar tty
parameter causes the function to return a non-zero value.
.Pp
.Fn auth_hostok
checks for any host restrictions for remote logins.
The function checks on both a host name and IP address (given in its
text form, typically n.n.n.n) against the
.Em host.allow
and
.Em host.deny
login class capabilities.
As with ttys and their groups, wildcards and character classes may be
used in the host allow and deny capability records.
The
.Xr fnmatch 3
function is used for matching, and the matching on hostnames is case
insensitive.
Note that this function expects that the hostname is fully expanded
(i.e. the local domain name added if necessary) and the IP address
is in its canonical form.
No hostname or address lookups are attempted.
.Pp
It is possible to call this function with either the hostname or
the IP address missing (i.e.
.Dv NULL )
and matching will be performed
only on the basis of the parameter given.
Passing
.Dv NULL
or empty strings in both parameters will result in
a non-zero return value.
.Pp
The
.Fn auth_timeok
function checks to see that a given time value is within the
.Em times.allow
login class capability and not within the
.Em times.deny
access lists.
An empty or non-existent
.Em times.allow
list allows access at any
time, except if a given time is falls within a period in the
.Em times.deny
list.
The format of time period records contained in both
.Em times.allow
and
.Em times.deny
capability fields is explained in detail in the
.Xr login_times 3
manual page.
.Sh RETURN VALUES
A non-zero return value from any of these functions indicates that
login access is granted.
A zero return value means either that the item being tested is not
in the
.Em allow
access list, or is within the
.Em deny
access list.
.Sh SEE ALSO
.Xr getcap 3 ,
.Xr login_cap 3 ,
.Xr login_class 3 ,
.Xr login_times 3 ,
.Xr login.conf 5 ,
.Xr termcap 5
|
