Previous Next Contents

6.18 Time control

Synopsis

Module Name:

pam_time

Author:

Andrew G. Morgan <morgan@parc.power.net>

Maintainer:

Author

Management groups provided:

account

Cryptographically sensitive:

Security rating:

Clean code base:

System dependencies:

Requires a configuration file /etc/security/time.conf

Network aware:

Through the PAM_TTY item only

Overview of module

Running a well regulated system occasionally involves restricting access to certain services in a selective manner. This module offers some time control for access to services offered by a system. Its actions are determined with a configuration file. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request.

Account component

Recognized arguments:

Description:

This module bases its actions on the rules listed in its configuration file: /etc/security/pam.conf. Each rule has the following form,

services;ttys;users;times
In words, each rule occupies a line, terminated with a newline or the beginning of a comment; a `#'. It contains four fields separated with semicolons, `;'. The fields are as follows:

Note, that the given time restriction is only applied when the first three fields are satisfied by a user's application for service.

For convenience and readability a rule can be extended beyond a single line with a `\newline'.

Examples/suggested usage:

The use of this module is initiated with an entry in the Linux-PAM configuration file of the following type:

#
# apply pam_time accounting to login requests
#
login   account  required       pam_time.so
where, here we are applying the module to the login application.

Some examples of rules that can be placed in the /etc/security/time.conf configuration file are the following:

login ; tty* & ; !ttyp* ; !root ; !Al0000-2400

all users except for root are denied access to console-login at all times.

games ; * ; !waster ; Wd0000-2400 | Wk1800-0800

games (configured to use Linux-PAM) are only to be accessed out of working hours. This rule does not apply to the user waster.

Note, currently there is no daemon enforcing the end of a session. This needs to be remedied.

Poorly formatted rules are logged as errors using syslog(3).


Previous Next Contents