 | | | logon limits? | logon limits? 2006-06-23 - By Stuart Sears
Back
-- --BEGIN PGP SIGNED MESSAGE-- --
Hash: SHA1
Rick Stevens wrote:
> On Tue, 2006-06-20 at 10:44 -0700, chuck lawrence wrote:
...
>> my windows AD domain allows me to set domain users "logon hours", which
>> supposedly can limit specific users to specific hours. is there a linux
>> equivalent?
>
> Yes. It's a bit long to go into in an email posting, but if you do
> "man login" and look at the "SPECIAL ACCESS RESTRICTIONS" section
> dealing with /etc/usertty, you'll see how to do it.
Rick,
Are you certain about that?
The docs seem to suggest the following
"On systems that do not use PAM, the file /etc/usertty specifies
additional access restrictions for specific users."
indeed, trying this in /etc/usertty
USERS
bob [mon:tue:wed:thu:fri:8-14]tty3
has absolutely no effect at all outside of the specified hours.
on a PAM-aware system [any modern version of RH or Fedora Core] the
correct solution to this is probably the pam_time library
this means editing 2 files:
/etc/pam.d/system-auth:
add the line
account required pam_time.so
to the other account lines. Make sure it is above any lines that contain
the word 'sufficient', or it will *not* work
This tells the PAM system to apply time restrictions when users are
authenticating.
now we need to add restrictions. The config for pam_time is
/etc/security/time.conf
very helpfully the authors have printed out the manpage in the top of
this file, but in summary, a line in here looks a bit like
service; consoles; users; times
e.g.
login;tty*;bob;!Al0000-1500
Will prevent the user bob from logging in (well, running the login
service, which amounts to much the same thing) on any virtual terminal
between midnight and 3pm. to prevent graphical logins, the service name
you may want to use is gdm.
to *allow* bob to do this (but not outside those times) the line is a
bit like this:
login;tty*;bob;Al0000-1500
i.e. the ! is removed.
RTFM for more info on this:
/usr/share/doc/pam-0 (See http://pam-0.ora-code.com)*/html/index.html (there are text versions too)
a word of warning:
PAM is *very* powerful and can thouroughly break your system. Be very
careful which users you put in that file. A typo in a PAM config file
can lock even root out of the system - at which point your only recourse
is to boot into single-user mode. Leave a root session open while you
test this for other users.
<snip rest of Rick's outstanding advice>
kind regards
Stuart
- --
Stuart Sears RHCA RHCX
To err is human, to forgive is Not Company Policy.
-- --BEGIN PGP SIGNATURE-- --
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFEm+0lamPtx1brPQ4RAu0GAJ0eHRRSlDqZvgeoYE/sJLXHnttaMwCfcac0
KO4F4gItI/8cII6dkUBwCX4=
=eXjK
-- --END PGP SIGNATURE-- --
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
__ ____ ____ ____ ____ ____ ____ ____ ____ ____
Redhat-install-list mailing list
Redhat-install-list@(protected)
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@(protected)
Subject: unsubscribe
|
|
|