linux poison RSS
linux poison Email

How to set Access/Restrictions on users logins

Time Based Restrictions
These examples will limit the login times of certain users. See /etc/security/time.conf for more information/examples. In order to place time restrictions on user logins, the following must be placed in /etc/pam.d/login:

account    required    /lib/security/pam_time.so

The remaining lines should be placed in /etc/security/time.conf.

1. Only allow user nikesh to login during on weekdays between 7 am and 5 pm.

      login;*;nikesh;Wd0700-1700

2. Allow users A & B to login on all days between 8 am and 5 pm except for Sunday.

      login;*;A|B;AlSu0800-1700

If a day is specified more than once, it is unset. So in the above example, Sunday is specified twice (Al = All days, Su = Sunday). This causes it to be unset, so this rule applies to all days except Sunday.

Access Based Restrictions
/etc/security/access.conf can be used to restrict access by terminal or host. The following must be placed in /etc/pam.d/login in order for these examples to work:

account    required   /lib/security/pam_access.so

1. Deny nikesh login access on all terminals except for tty1:

      -:nikesh:ALL EXCEPT tty1

2. Users in the group operator are only allowed to login from a local terminal:

      -:operator:ALL EXCEPT LOCAL

3. Allow user A to only login from a trusted server:

      -:A:ALL EXCEPT trusted.somedomain.com


5 comments:

Anonymous said...

hey,
thanks for posting this, it helped me alot.

-Braydon

Brian A. Musson said...

if you want to include ssh into this configuration, edit /etc/pam.d/sshd and add:

account required pam_access.so

Anonymous said...

hi
I tried to implement but still user "test" can login to system
below is my time.conf
########
login;*;test1;Th1109-1115
#######
and below is my /etc/pam.d/login file
################
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required /lob/security/pam_time.so
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
##########################

after doing this all user test1 still can be login after defined time period.

kindly help to sort out this problem

Regards,


Rashid

Anonymous said...

after configuring this user can still be login to system
below is my /etc/security/time.conf file

login;*;test1;Th1100-1115

and below is my /etc/pam.d/login

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required /lob/security/pam_time.so
##############

kindly help me to sort out this problem
rashid

Anonymous said...

It looks like you've type /lob/ instead of /lib/

Post a Comment

Related Posts with Thumbnails