xref: /dragonfly/lib/libutil/login_ok.3 (revision 1de703da) 
1.\" Copyright (c) 1995 David Nugent <davidn@blaze.net.au>
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, is permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice immediately at the beginning of the file, without modification,
9.\"    this list of conditions, and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\" 3. This work was done expressly for inclusion into FreeBSD.  Other use
14.\"    is permitted provided this notation is included.
15.\" 4. Absolutely no warranty of function or purpose is made by the author
16.\"    David Nugent.
17.\" 5. Modifications may be freely made to this file providing the above
18.\"    conditions are met.
19.\"
20.\" $FreeBSD: src/lib/libutil/login_ok.3,v 1.7.2.4 2001/12/17 10:08:32 ru Exp $
21.\" $DragonFly: src/lib/libutil/login_ok.3,v 1.2 2003/06/17 04:26:52 dillon Exp $
22.\"
23.Dd January 2, 1997
24.Os
25.Dt LOGIN_OK 3
26.Sh NAME
27.Nm auth_ttyok ,
28.Nm auth_hostok ,
29.Nm auth_timeok
30.Nd functions for checking login class based login restrictions
31.Sh LIBRARY
32.Lb libutil
33.Sh SYNOPSIS
34.In sys/types.h
35.In time.h
36.In login_cap.h
37.Ft int
38.Fn auth_ttyok "login_cap_t *lc" "const char *tty"
39.Ft int
40.Fn auth_hostok "login_cap_t *lc" "const char *host" "char const *ip"
41.Ft int
42.Fn auth_timeok "login_cap_t *lc" "time_t t"
43.Sh DESCRIPTION
44This set of functions checks to see if login is allowed based on login
45class capability entries in the login database,
46.Xr login.conf 5 .
47.Pp
48.Fn auth_ttyok
49checks to see if the named tty is available to users of a specific
50class, and is either in the
51.Em ttys.allow
52access list, and not in
53the
54.Em ttys.deny
55access list.
56An empty
57.Em ttys.allow
58list (or if no such capability exists for
59the give login class) logins via any tty device are allowed unless
60the
61.Em ttys.deny
62list exists and is non-empty, and the device or its
63tty group (see
64.Xr ttys 5 )
65is not in the list.
66Access to ttys may be allowed or restricted specifically by tty device
67name, a device name which includes a wildcard (e.g. ttyD* or cuaD*),
68or may name a ttygroup, when group=<name> tags have been assigned in
69.Pa /etc/ttys .
70Matching of ttys and ttygroups is case sensitive.
71Passing a
72.Dv NULL
73or empty string as the
74.Ar tty
75parameter causes the function to return a non-zero value.
76.Pp
77.Fn auth_hostok
78checks for any host restrictions for remote logins.
79The function checks on both a host name and IP address (given in its
80text form, typically n.n.n.n) against the
81.Em host.allow
82and
83.Em host.deny
84login class capabilities.
85As with ttys and their groups, wildcards and character classes may be
86used in the host allow and deny capability records.
87The
88.Xr fnmatch 3
89function is used for matching, and the matching on hostnames is case
90insensitive.
91Note that this function expects that the hostname is fully expanded
92(i.e. the local domain name added if necessary) and the IP address
93is in its canonical form.
94No hostname or address lookups are attempted.
95.Pp
96It is possible to call this function with either the hostname or
97the IP address missing (i.e.\&
98.Dv NULL )
99and matching will be performed
100only on the basis of the parameter given.
101Passing
102.Dv NULL
103or empty strings in both parameters will result in
104a non-zero return value.
105.Pp
106The
107.Fn auth_timeok
108function checks to see that a given time value is within the
109.Em times.allow
110login class capability and not within the
111.Em times.deny
112access lists.
113An empty or non-existent
114.Em times.allow
115list allows access at any
116time, except if a given time is falls within a period in the
117.Em times.deny
118list.
119The format of time period records contained in both
120.Em times.allow
121and
122.Em times.deny
123capability fields is explained in detail in the
124.Xr login_times 3
125manual page.
126.Sh RETURN VALUES
127A non-zero return value from any of these functions indicates that
128login access is granted.
129A zero return value means either that the item being tested is not
130in the
131.Em allow
132access list, or is within the
133.Em deny
134access list.
135.Sh SEE ALSO
136.Xr getcap 3 ,
137.Xr login_cap 3 ,
138.Xr login_class 3 ,
139.Xr login_times 3 ,
140.Xr login.conf 5 ,
141.Xr termcap 5
142