logon limits?

Fri Jun 23 13:31:17 UTC 2006

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rick Stevens wrote:
> On Tue, 2006-06-20 at 10:44 -0700, chuck lawrence wrote:
...
>> my windows AD domain allows me to set domain users "logon hours", which 
>> supposedly can limit specific users to specific hours.  is there a linux 
>> equivalent?
> 
> Yes.  It's a bit long to go into in an email posting, but if you do
> "man login" and look at the "SPECIAL ACCESS RESTRICTIONS" section
> dealing with /etc/usertty, you'll see how to do it.
Rick,
Are you certain about that?
The docs seem to suggest the following
"On systems that do not use PAM, the  file  /etc/usertty  specifies
additional  access restrictions for specific users."

indeed, trying this in /etc/usertty

USERS
bob  [mon:tue:wed:thu:fri:8-14]tty3

has absolutely no effect at all outside of the specified hours.

on a PAM-aware system [any modern version of RH or Fedora Core] the
correct solution to this is probably the pam_time library

this means editing 2 files:
/etc/pam.d/system-auth:
add the line

account	required	pam_time.so

to the other account lines. Make sure it is above any lines that contain
the word 'sufficient', or it will *not* work

This tells the PAM system to apply time restrictions when users are
authenticating.

now we need to add restrictions. The config for pam_time is
/etc/security/time.conf
very helpfully the authors have printed out the manpage in the top of
this file, but in summary, a line in here looks a bit like

service; consoles; users; times
e.g.

login;tty*;bob;!Al0000-1500

Will prevent the user bob from logging in (well, running the login
service, which amounts to much the same thing) on any virtual terminal
between midnight and 3pm. to prevent graphical logins, the service name
you may want to use is gdm.

to *allow* bob to do this (but not outside those times) the line is a
bit like this:

login;tty*;bob;Al0000-1500

i.e. the ! is removed.

RTFM for more info on this:
/usr/share/doc/pam-0*/html/index.html (there are text versions too)

a word of warning:
PAM is *very* powerful and can thouroughly break your system. Be very
careful which users you put in that file. A typo in a PAM config file
can lock even root out of the system - at which point your only recourse
is to boot into single-user mode. Leave a root session open while you
test this for other users.

<snip rest of Rick's outstanding advice>

kind regards

Stuart
- --
Stuart Sears RHCA RHCX
To err is human, to forgive is Not Company Policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEm+0lamPtx1brPQ4RAu0GAJ0eHRRSlDqZvgeoYE/sJLXHnttaMwCfcac0
KO4F4gItI/8cII6dkUBwCX4=
=eXjK
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.