freebsd-dev/lib/libutil/login_ok.3
David Nugent 68bbf3adb0 Library functions relating to the login class capabilities database,
including manpages.
See also login_cap.h.
1997-01-04 16:50:08 +00:00

110 lines
4.1 KiB
Groff

.\" Copyright (c) 1995 David Nugent <davidn@blaze.net.au>
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, is permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice immediately at the beginning of the file, without modification,
.\" this list of conditions, and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. This work was done expressly for inclusion into FreeBSD. Other use
.\" is permitted provided this notation is included.
.\" 4. Absolutely no warranty of function or purpose is made by the author
.\" David Nugent.
.\" 5. Modifications may be freely made to this file providing the above
.\" conditions are met.
.\"
.\" $Id$
.\"
.Dd January 2, 1997
.Os FreeBSD
.Dt LOGIN_OK 3
.Sh NAME
.Nm auth_ttyok
.Nm auth_hostok
.Nm auth_timeok
.Nd Functions for checking login class based login restrictions
.Sh SYNOPSIS
.Fd #include <sys/types.h>
.Fd #include <time.h>
.Fd #include <login_cap.h>
.Ft int
.Fn auth_ttyok "login_cap_t *lc" "const char *tty"
.Ft int
.Fn auth_hostok "login_cap_t *lc" "const char *host" "char const *ip"
.Ft int
.Fn auth_timeok "login_cap_t *lc" "time_t t"
.Sh DESCRIPTION
This set of functions checks to see if login is allowed based on login
class capability entries in the login database,
.Xr login.conf 5 .
.Pp
.Fn auth_ttyok
checks to see if the named tty is available to users of a specific
class, and is either in the "ttys.allow" access list, and not in
the "ttys.deny" access list.
An empty "ttys.allowed" list (or if no such capability exists for
the give login class) logins via any tty device are allowed unless
the "ttys.deny" list exists and is non-empty, and the device or its
tty group (see
.Xr ttys 5 )
is not in the list.
Access to ttys may be allowed or restricted specifically by tty device
name, a device name which includes a wildcard (e.g. ttyD* or cuaD*),
or may name a ttygroup, when group=<name> tags have been assigned in
.Pa /etc/ttys .
Matching of ttys and ttygroups is case sensitive.
Passing a NULL or empty string as the
.Ar tty
parameter causes the function to return a non-zero value.
.Pp
.Fn auth_hostok
checks for any host restrictions for remote logins.
The function checks on both a host name and IP address (given in its
text form, typically n.n.n.n) against the "host.allow" and "host.deny"
login class capabilities.
As with ttys and their groups, wildcards and character classes may be
used in the host allow and deny capability records.
The
.Xr fnmatch 3
function is used for matching, and the matching on hostnames is case
insensitive.
Note that this function expects that the hostname is fully expanded
(i.e. the local domain name added if necessary) and the IP address
is in its canonical form.
No hostname or address lookups are attempted.
.Pp
It is possible to call this function with either the hostname or
the IP address missing (i.e. NULL) and matching will be performed
only on the basis of the parameter given.
Passing NULL or empty strings in both parameters will result in
a non-zero return value.
.Pp
The
.Fn auth_timeok
function checks to see that a given time value is within the
"times.allow" login class capability and not within the
"times.deny" access lists.
An empty or non-existent "times.allow" list allows access at any
time, except if a given time is falls within a period in the
"times.deny" list.
The format of time period records contained in both "times.allow"
and "times.deny" capability fields is explained in detail in the
.Xr login_times 3
manual page.
.Sh RETURN VALUES
A non-zero return value from any of these functions indicates that
login access is granted.
A zero return value means either that the item being tested is not
in the "allow" access list, or is within the "deny" access list.
.Sh SEE ALSO
.Xr login.conf 5 ,
.Xr login_cap 3 ,
.Xr login_class 3 ,
.Xr login_times 3 ,
.Xr termcap 5 ,
.Xr getcap 3