Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
LOGIN_OK(3)	       FreeBSD Library Functions Manual		   LOGIN_OK(3)

     auth_ttyok, auth_hostok, auth_timeok -- functions for checking login
     class based login restrictions

     System Utilities Library (libutil,	-lutil)

     #include <sys/types.h>
     #include <time.h>
     #include <login_cap.h>

     auth_ttyok(login_cap_t *lc, const char *tty);

     auth_hostok(login_cap_t *lc, const	char *host, char const *ip);

     auth_timeok(login_cap_t *lc, time_t t);

     This set of functions checks to see if login is allowed based on login
     class capability entries in the login database, login.conf(5).

     The auth_ttyok() function checks to see if	the named tty is available to
     users of a	specific class,	and is either in the ttys.allow	access list,
     and not in	the ttys.deny access list.  An empty ttys.allow	list (or if no
     such capability exists for	the given login	class) logins via any tty de-
     vice are allowed unless the ttys.deny list	exists and is non-empty, and
     the device	or its tty group (see ttys(5)) is not in the list.  Access to
     ttys may be allowed or restricted specifically by tty device name,	a de-
     vice name which includes a	wildcard (e.g. ttyD* or	cuaD*),	or may name a
     ttygroup, when group=<name> tags have been	assigned in /etc/ttys.	Match-
     ing of ttys and ttygroups is case sensitive.  Passing a NULL or empty
     string as the tty parameter causes	the function to	return a non-zero

     The auth_hostok() function	checks for any host restrictions for remote
     logins.  The function checks on both a host name and IP address (given in
     its text form, typically n.n.n.n) against the host.allow and host.deny
     login class capabilities.	As with	ttys and their groups, wildcards and
     character classes may be used in the host allow and deny capability
     records.  The fnmatch(3) function is used for matching, and the matching
     on	hostnames is case insensitive.	Note that this function	expects	that
     the hostname is fully expanded (i.e., the local domain name added if nec-
     essary) and the IP	address	is in its canonical form.  No hostname or ad-
     dress lookups are attempted.

     It	is possible to call this function with either the hostname or the IP
     address missing (i.e. NULL) and matching will be performed	only on	the
     basis of the parameter given.  Passing NULL or empty strings in both pa-
     rameters will result in a non-zero	return value.

     The auth_timeok() function	checks to see that a given time	value is
     within the	times.allow login class	capability and not within the
     times.deny	access lists.  An empty	or non-existent	times.allow list al-
     lows access at any	time, except if	a given	time is	falls within a period
     in	the times.deny list.  The format of time period	records	contained in
     both times.allow and times.deny capability	fields is explained in detail
     in	the login_times(3) manual page.

     A non-zero	return value from any of these functions indicates that	login
     access is granted.	 A zero	return value means either that the item	being
     tested is not in the allow	access list, or	is within the deny access

     getcap(3),	login_cap(3), login_class(3), login_times(3), login.conf(5),

     The functions auth_ttyok(), auth_hostok()
      and auth_timeok()	functions first	appeared in FreeBSD 2.1.5.

FreeBSD	13.0			 May 10, 2020			  FreeBSD 13.0


Want to link to this manual page? Use this URL:

home | help