When we talk about forcing a user to log off, what we’re really talking about is time restrictions on certain account system access and services. The easiest way I’ve found to implement time restrictions is by using software called Linux-PAM.
Pluggable Authentication Module (PAM) is a mechanism for authenticating users. Specifically, we’re going to use the pam_time module to control timed access for users to services.
Using the pam_time module, we can set access restrictions to a system and/or specific applications at various times of the day as well as on specific days. Depending on the configuration, you can use this module to deny access to individual users based on their name, the time of day, the day of week, the service they’re applying for, and their terminal from which they’re making the request.
When using pam_time, you must terminate the syntax or rule in the /etc/security/time.conf file with a newline.
Always remeber that pound sign [#] is a comment and the system will ignore that text inline to it.
This is an example configuration file for the pam_time module.
Its syntax was initially based heavily on that of the shadow package (shadow-960129).
The syntax of the lines is as follows:
services;ttys;users;times
- The first field — services = list of PAM service names.
- The second field — tty =logic list of terminal names.
- The third field — user = is a logic list of users or a netgroup of users.
- The fourth field — times =indicates the applicable times.
Here’s an example of a typical set of rules:
login ; * ; !ron ; MoTuWeThFr0800-2000
login ; * ; !root ; !Al0000-2400
http ; * ; !ron ; MoTuWeThFr0800-2000
http ; * ; !root; !Al0000-2400
ftp ; * ; !ron ; MoTuWeThFr0800-2000
ftp ; * ; !root; !Al0000-2400
These rules restrict user ron from logging on between the hours of 0800 and 2000, and they also restrict http and ftp access during these hours.
Root would be able to logon at any time and browse the Internet during all times as well.
No comments:
Post a Comment