These examples will limit the login times of certain users. See /etc/security/time.conf for more information/examples. In order to place time restrictions on user logins, the following must be placed in /etc/pam.d/login:
account required /lib/security/pam_time.so
The remaining lines should be placed in /etc/security/time.conf.
1. Only allow user nikesh to login during on weekdays between 7 am and 5 pm.
login;*;nikesh;Wd0700-1700
2. Allow users A & B to login on all days between 8 am and 5 pm except for Sunday.
login;*;A|B;AlSu0800-1700
If a day is specified more than once, it is unset. So in the above example, Sunday is specified twice (Al = All days, Su = Sunday). This causes it to be unset, so this rule applies to all days except Sunday.
Access Based Restrictions
/etc/security/access.conf can be used to restrict access by terminal or host. The following must be placed in /etc/pam.d/login in order for these examples to work:
account required /lib/security/pam_access.so
1. Deny nikesh login access on all terminals except for tty1:
-:nikesh:ALL EXCEPT tty1
2. Users in the group operator are only allowed to login from a local terminal:
-:operator:ALL EXCEPT LOCAL
3. Allow user A to only login from a trusted server:
-:A:ALL EXCEPT trusted.somedomain.com
5 comments:
hey,
thanks for posting this, it helped me alot.
-Braydon
if you want to include ssh into this configuration, edit /etc/pam.d/sshd and add:
account required pam_access.so
hi
I tried to implement but still user "test" can login to system
below is my time.conf
########
login;*;test1;Th1109-1115
#######
and below is my /etc/pam.d/login file
################
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required /lob/security/pam_time.so
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
##########################
after doing this all user test1 still can be login after defined time period.
kindly help to sort out this problem
Regards,
Rashid
after configuring this user can still be login to system
below is my /etc/security/time.conf file
login;*;test1;Th1100-1115
and below is my /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required /lob/security/pam_time.so
##############
kindly help me to sort out this problem
rashid
It looks like you've type /lob/ instead of /lib/
Post a Comment