This site is now 100% read-only, and retired.

Restricting server access by time

Posted by Steve on Thu 25 Aug 2005 at 15:12

Most Linux distributions use PAM for controlling account logins. PAM is a collection of modules which can be used to authenticate users in a variety of ways. One interesting use for this is to deny access to host by the time of day.

The PAM (or "Pluggable Authentication Modules") system on Debian is controlled by the configuration files in /etc/pam.d. Each service which uses PAM has a file there, for example:

/etc/pam.d/ssh  - PAM will use this file to satisfy login requests via SSH

The PAM file will contain several things:

  • Comments.
  • Directives to include the contents of other files.
  • PAM module directives which must be satisfied to permit access.

In order to limit access by time we need to add a directive to authenticate against the pam_time.so module. We add this to any service which we wish to ration by time.

For example to control incoming access by ssh we add following line into /etc/pam.d/ssh:

account  required       pam_time.so

This means that when a connection comes in via sshd PAM will be invoked and will now test the incoming account against the pam_time.so module, in addition to any other modules.

The configuration directive uses the word require which means this module must allow the connection - or the authentication attempt as a whole will fail.

pam_time.so is configured by the file /etc/security/time.conf, which contains a good description in the comments at the top of the file on its format.

In short time.conf contents look like this:

services; ttys; users; times

You can use the wildcard "*" to match any condition, and combine entries with "|" to mean "or", "!" to mean not, etc.

The times section of the line may include both days and times, for example "Mo" for Monday, Wk for "Weekend day", Wd for "Week day", or "Al" for "All days".

As a simple example we can add the following entry:

* ; * ; !root ; Al0900-1700

This denies access to any user other than root unless it is between 09:00 (9AM) and 17:00 (5PM).

A common requirement would be to only allow non-root users to login Mon-Fri in "office hours". That would be satisfied by:

* ; * ; !root ; Wd0800-1800

That allows access on Weekdays between 8AM and 6PM.

 

 


Re: Restricting server access by time
Posted by Serge (213.118.xx.xx) on Thu 25 Aug 2005 at 19:25
[ View Weblogs ]
You explain that
account required pam_time.so

must be added to any service in /etc/pam.d which we wish to ration by time. Which might be a lot of services.
Suppose I want this to work on *all* services regardless which ones are installed now or might be installed later. How do I configure PAM for that?

--

Serge van Ginderachter [keeps struggling with PAM configuration]

[ Parent ]

Re: Restricting server access by time
Posted by Steve (82.41.xx.xx) on Thu 25 Aug 2005 at 19:29
[ View Weblogs ]

There is no other option I'm afraid.

You can simplify things by adding the line to one of the "common files", (eg, /etc/pam.d/common-account), but that doesn't guarantee that future services will be similarly rationed.

This only works if the services include the relevent common file.

Steve
-- Steve.org.uk

[ Parent ]

Re: Restricting server access by time
Posted by Anonymous (213.190.xx.xx) on Fri 26 Oct 2007 at 16:51
Hello,
I could be nice to restrict an ppp or pptpd connections

How it could be implemented?

Thx

[ Parent ]

Re: Restricting server access by time
Posted by Anonymous (90.219.xx.xx) on Thu 30 Jul 2009 at 04:58
how would you display a message indicating access to server is only allowed between certain times? when a user a tries to login

[ Parent ]