From 68bbf3adb0b5def46b5174261657b038543972e3 Mon Sep 17 00:00:00 2001 From: David Nugent Date: Sat, 4 Jan 1997 16:50:08 +0000 Subject: Library functions relating to the login class capabilities database, including manpages. See also login_cap.h. --- lib/libutil/login_ok.3 | 109 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 lib/libutil/login_ok.3 (limited to 'lib/libutil/login_ok.3') diff --git a/lib/libutil/login_ok.3 b/lib/libutil/login_ok.3 new file mode 100644 index 000000000000..c459d9482f92 --- /dev/null +++ b/lib/libutil/login_ok.3 @@ -0,0 +1,109 @@ +.\" Copyright (c) 1995 David Nugent +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, is permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice immediately at the beginning of the file, without modification, +.\" this list of conditions, and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. This work was done expressly for inclusion into FreeBSD. Other use +.\" is permitted provided this notation is included. +.\" 4. Absolutely no warranty of function or purpose is made by the author +.\" David Nugent. +.\" 5. Modifications may be freely made to this file providing the above +.\" conditions are met. +.\" +.\" $Id$ +.\" +.Dd January 2, 1997 +.Os FreeBSD +.Dt LOGIN_OK 3 +.Sh NAME +.Nm auth_ttyok +.Nm auth_hostok +.Nm auth_timeok +.Nd Functions for checking login class based login restrictions +.Sh SYNOPSIS +.Fd #include +.Fd #include +.Fd #include +.Ft int +.Fn auth_ttyok "login_cap_t *lc" "const char *tty" +.Ft int +.Fn auth_hostok "login_cap_t *lc" "const char *host" "char const *ip" +.Ft int +.Fn auth_timeok "login_cap_t *lc" "time_t t" +.Sh DESCRIPTION +This set of functions checks to see if login is allowed based on login +class capability entries in the login database, +.Xr login.conf 5 . +.Pp +.Fn auth_ttyok +checks to see if the named tty is available to users of a specific +class, and is either in the "ttys.allow" access list, and not in +the "ttys.deny" access list. +An empty "ttys.allowed" list (or if no such capability exists for +the give login class) logins via any tty device are allowed unless +the "ttys.deny" list exists and is non-empty, and the device or its +tty group (see +.Xr ttys 5 ) +is not in the list. +Access to ttys may be allowed or restricted specifically by tty device +name, a device name which includes a wildcard (e.g. ttyD* or cuaD*), +or may name a ttygroup, when group= tags have been assigned in +.Pa /etc/ttys . +Matching of ttys and ttygroups is case sensitive. +Passing a NULL or empty string as the +.Ar tty +parameter causes the function to return a non-zero value. +.Pp +.Fn auth_hostok +checks for any host restrictions for remote logins. +The function checks on both a host name and IP address (given in its +text form, typically n.n.n.n) against the "host.allow" and "host.deny" +login class capabilities. +As with ttys and their groups, wildcards and character classes may be +used in the host allow and deny capability records. +The +.Xr fnmatch 3 +function is used for matching, and the matching on hostnames is case +insensitive. +Note that this function expects that the hostname is fully expanded +(i.e. the local domain name added if necessary) and the IP address +is in its canonical form. +No hostname or address lookups are attempted. +.Pp +It is possible to call this function with either the hostname or +the IP address missing (i.e. NULL) and matching will be performed +only on the basis of the parameter given. +Passing NULL or empty strings in both parameters will result in +a non-zero return value. +.Pp +The +.Fn auth_timeok +function checks to see that a given time value is within the +"times.allow" login class capability and not within the +"times.deny" access lists. +An empty or non-existent "times.allow" list allows access at any +time, except if a given time is falls within a period in the +"times.deny" list. +The format of time period records contained in both "times.allow" +and "times.deny" capability fields is explained in detail in the +.Xr login_times 3 +manual page. +.Sh RETURN VALUES +A non-zero return value from any of these functions indicates that +login access is granted. +A zero return value means either that the item being tested is not +in the "allow" access list, or is within the "deny" access list. +.Sh SEE ALSO +.Xr login.conf 5 , +.Xr login_cap 3 , +.Xr login_class 3 , +.Xr login_times 3 , +.Xr termcap 5 , +.Xr getcap 3 -- cgit v1.2.3