Restrict remote access by time?
This isn't a question about a vulnerability or security threat, so it
might be the wrong list. If so, my apologies in advance. I'm trying to
tighten a specific part of our security though, so I hope this is apropos
to the list.
I am trying to figure out a good way to restrict access to some specific
systems based on time and date.
I've looked at pam_time which would allow setting user by user rules based
on day/time, but I'm looking for something that would be easy to maintain
when we need to give a remote single user (mostly) exclusive access to a
system for an arbitrary number of hours, and then at the end of that time
end their SSH connection.
Clients will be mostly using NX to connect to an NX server but I would
prefer to cut ALL access outside of their alloted time - though if the
free or NoMachiens NX server provides a good way to restrict who can
connect without totally disabling "system"accounts, and then there is a
good way to prohibit most other usernames other than NX from connecting
that might also be an option.
Ideally we would set a calender, and then it would work without
supervision for the next 6/12 months, but with the option to adjust it if
there are cancellations or changes.
I've considered hosts.allow/deny but we would prefer it to be account
based rather than host/ip# based.
As I mentioned pam_time might work but looks a little awkward for this.
User information is stored in a Fedora Directory Service (LDAP).
We are not currently using kerberos and implementing it at this time would
not be practical.
While I would like to keep the solution "pure" debian/OS/Free Software,
there is a budget, and 3rd party applications are not out of the question.
So, given the criteria, I would welcome any suggestions, research leads,
or input from those who have put together similar projects.
Thanks in Advance!
Computing Systems Manager
LS Bld. IIT Main Campus
Chicago IL 60616
He who fights with monsters must take care lest he thereby become a
monster. And if you gaze for long into an abyss, the abyss gazes also into