1.\" Copyright (c) 1995 David Nugent <davidn@blaze.net.au> 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, is permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice immediately at the beginning of the file, without modification, 9.\" this list of conditions, and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 3. This work was done expressly for inclusion into FreeBSD. Other use 14.\" is permitted provided this notation is included. 15.\" 4. Absolutely no warranty of function or purpose is made by the author 16.\" David Nugent. 17.\" 5. Modifications may be freely made to this file providing the above 18.\" conditions are met. 19.\" 20.Dd May 10, 2020 21.Dt LOGIN_OK 3 22.Os 23.Sh NAME 24.Nm auth_ttyok , 25.Nm auth_hostok , 26.Nm auth_timeok 27.Nd functions for checking login class based login restrictions 28.Sh LIBRARY 29.Lb libutil 30.Sh SYNOPSIS 31.In sys/types.h 32.In time.h 33.In login_cap.h 34.Ft int 35.Fn auth_ttyok "login_cap_t *lc" "const char *tty" 36.Ft int 37.Fn auth_hostok "login_cap_t *lc" "const char *host" "char const *ip" 38.Ft int 39.Fn auth_timeok "login_cap_t *lc" "time_t t" 40.Sh DESCRIPTION 41This set of functions checks to see if login is allowed based on login 42class capability entries in the login database, 43.Xr login.conf 5 . 44.Pp 45The 46.Fn auth_ttyok 47function checks to see if the named tty is available to users of a specific 48class, and is either in the 49.Em ttys.allow 50access list, and not in 51the 52.Em ttys.deny 53access list. 54An empty 55.Em ttys.allow 56list (or if no such capability exists for 57the given login class) logins via any tty device are allowed unless 58the 59.Em ttys.deny 60list exists and is non-empty, and the device or its 61tty group (see 62.Xr ttys 5 ) 63is not in the list. 64Access to ttys may be allowed or restricted specifically by tty device 65name, a device name which includes a wildcard (e.g.\& ttyD* or cuaD*), 66or may name a ttygroup, when group=<name> tags have been assigned in 67.Pa /etc/ttys . 68Matching of ttys and ttygroups is case sensitive. 69Passing a 70.Dv NULL 71or empty string as the 72.Ar tty 73parameter causes the function to return a non-zero value. 74.Pp 75The 76.Fn auth_hostok 77function checks for any host restrictions for remote logins. 78The function checks on both a host name and IP address (given in its 79text form, typically n.n.n.n) against the 80.Em host.allow 81and 82.Em host.deny 83login class capabilities. 84As with ttys and their groups, wildcards and character classes may be 85used in the host allow and deny capability records. 86The 87.Xr fnmatch 3 88function is used for matching, and the matching on hostnames is case 89insensitive. 90Note that this function expects that the hostname is fully expanded 91(i.e., the local domain name added if necessary) and the IP address 92is in its canonical form. 93No hostname or address lookups are attempted. 94.Pp 95It is possible to call this function with either the hostname or 96the IP address missing (i.e.\& 97.Dv NULL ) 98and matching will be performed 99only on the basis of the parameter given. 100Passing 101.Dv NULL 102or empty strings in both parameters will result in 103a non-zero return value. 104.Pp 105The 106.Fn auth_timeok 107function checks to see that a given time value is within the 108.Em times.allow 109login class capability and not within the 110.Em times.deny 111access lists. 112An empty or non-existent 113.Em times.allow 114list allows access at any 115time, except if a given time is falls within a period in the 116.Em times.deny 117list. 118The format of time period records contained in both 119.Em times.allow 120and 121.Em times.deny 122capability fields is explained in detail in the 123.Xr login_times 3 124manual page. 125.Sh RETURN VALUES 126A non-zero return value from any of these functions indicates that 127login access is granted. 128A zero return value means either that the item being tested is not 129in the 130.Em allow 131access list, or is within the 132.Em deny 133access list. 134.Sh SEE ALSO 135.Xr getcap 3 , 136.Xr login_cap 3 , 137.Xr login_class 3 , 138.Xr login_times 3 , 139.Xr login.conf 5 , 140.Xr termcap 5 141.Sh HISTORY 142The functions 143.Fn auth_ttyok , 144.Fn auth_hostok 145 and 146.Fn auth_timeok 147functions first appeared in 148.Fx 2.1.5 . 149