logon limits?
Rick Stevens
rstevens at vitalstream.com
Fri Jun 23 17:22:18 UTC 2006
On Fri, 2006-06-23 at 14:31 +0100, Stuart Sears wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rick Stevens wrote:
> > On Tue, 2006-06-20 at 10:44 -0700, chuck lawrence wrote:
> ...
> >> my windows AD domain allows me to set domain users "logon hours", which
> >> supposedly can limit specific users to specific hours. is there a linux
> >> equivalent?
> >
> > Yes. It's a bit long to go into in an email posting, but if you do
> > "man login" and look at the "SPECIAL ACCESS RESTRICTIONS" section
> > dealing with /etc/usertty, you'll see how to do it.
> Rick,
> Are you certain about that?
> The docs seem to suggest the following
> "On systems that do not use PAM, the file /etc/usertty specifies
> additional access restrictions for specific users."
>
> indeed, trying this in /etc/usertty
>
> USERS
> bob [mon:tue:wed:thu:fri:8-14]tty3
>
> has absolutely no effect at all outside of the specified hours.
>
> on a PAM-aware system [any modern version of RH or Fedora Core] the
> correct solution to this is probably the pam_time library
>
> this means editing 2 files:
> /etc/pam.d/system-auth:
> add the line
>
> account required pam_time.so
>
> to the other account lines. Make sure it is above any lines that contain
> the word 'sufficient', or it will *not* work
>
> This tells the PAM system to apply time restrictions when users are
> authenticating.
>
> now we need to add restrictions. The config for pam_time is
> /etc/security/time.conf
> very helpfully the authors have printed out the manpage in the top of
> this file, but in summary, a line in here looks a bit like
>
> service; consoles; users; times
> e.g.
>
> login;tty*;bob;!Al0000-1500
>
> Will prevent the user bob from logging in (well, running the login
> service, which amounts to much the same thing) on any virtual terminal
> between midnight and 3pm. to prevent graphical logins, the service name
> you may want to use is gdm.
I believe you're correct, but I'm not certain about pseudo-TTYs used for
network connections ("pts/0" and the like). I've never done this sort
of thing...my users are restricted significantly and access to my
machines over the network is generally highly restricted also.
> to *allow* bob to do this (but not outside those times) the line is a
> bit like this:
>
> login;tty*;bob;Al0000-1500
>
> i.e. the ! is removed.
>
> RTFM for more info on this:
> /usr/share/doc/pam-0*/html/index.html (there are text versions too)
>
> a word of warning:
> PAM is *very* powerful and can thouroughly break your system. Be very
> careful which users you put in that file. A typo in a PAM config file
> can lock even root out of the system - at which point your only recourse
> is to boot into single-user mode. Leave a root session open while you
> test this for other users.
Amen! Playing with PAM without really knowing what you're doing is like
futzing with the fuse on a nuclear device.
>
>
> <snip rest of Rick's outstanding advice>
>
>
> kind regards
>
>
> Stuart
> - --
> Stuart Sears RHCA RHCX
> To err is human, to forgive is Not Company Policy.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFEm+0lamPtx1brPQ4RAu0GAJ0eHRRSlDqZvgeoYE/sJLXHnttaMwCfcac0
> KO4F4gItI/8cII6dkUBwCX4=
> =eXjK
> -----END PGP SIGNATURE-----
>
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- Admitting you have a problem is the first step toward getting -
- medicated for it. -- Jim Evarts (http://www.TopFive.com) -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list