pam_time
Andrew G. Morgan <morgan@parc.power.net>
Author
account
Requires a configuration file /etc/security/time.conf
Through the PAM_TTY
item only
Running a well regulated system occasionally involves restricting access to certain services in a selective manner. This module offers some time control for access to services offered by a system. Its actions are determined with a configuration file. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request.
This module bases its actions on the rules listed in its configuration
file: /etc/security/pam.conf
. Each rule has the following
form,
services;
ttys;
users;
times
In words, each rule occupies a line, terminated with a newline or the
beginning of a comment; a `#
'. It contains four fields separated
with semicolons, `;
'. The fields are as follows:
By a logic list we mean a sequence of tokens (associated with the
appropriate PAM_
item), containing no more than one wildcard
character; `*
', and optionally prefixed with a negation operator;
`!
'. Such a sequence is concatenated with one of two logical
operators: &
(logical AND) and |
(logical OR). Two
examples are: !morgan&!root
, indicating that this rule
does not apply to the user morgan
nor to root
; and
tty*&!ttyp*
, which indicates that the rule applies only
to console terminals but not pseudoterminals.
MoTuSa
, indicates Monday Tuesday and Saturday. Note that
repeated days are unset; MoTuMo
indicates Tuesday, and
MoWk
means all weekdays bar Monday. The two character
combinations accepted are,
Mo Tu We Th Fr Sa Su Wk Wd Al
The last two of these being weekend days and all 7 days of
the week respectively.
The time range part is a pair of 24-hour times, HHMM, separated
by a hyphen -- indicating the start and finish time for the rule. If
the finsish time is smaller than the start time, it is assumed to
apply on the following day. For an example, Mo1800-0300
indicates
that the permitted times are Monday night from 6pm to 3am the
following morning.
Note, that the given time restriction is only applied when the first three fields are satisfied by a user's application for service.
For convenience and readability a rule can be extended beyond a single
line with a `\
newline'.
The use of this module is initiated with an entry in the Linux-PAM configuration file of the following type:
#
# apply pam_time accounting to login requests
#
login account required pam_time.so
where, here we are applying the module to the login application.
Some examples of rules that can be placed in the
/etc/security/time.conf
configuration file are the following:
login ; tty* & ; !ttyp* ; !root ; !Al0000-2400
all users except for root
are denied access to console-login at
all times.
games ; * ; !waster ; Wd0000-2400 | Wk1800-0800
games (configured to use Linux-PAM) are only to be accessed out of
working hours. This rule does not apply to the user waster
.
Note, currently there is no daemon enforcing the end of a session. This needs to be remedied.
Poorly formatted rules are logged as errors using syslog(3)
.