Re: restricting login times

To: debian-user@lists.debian.org
Subject: Re: restricting login times
From: Joel Rees <joel.rees@gmail.com>
Date: Mon, 25 Mar 2013 14:33:53 +0900
Message-id: <[🔎] CAAr43iMH+KhJw1a2RkLJ2JagRQ=7fLnN7Wdv_2dNvN16nBgrpA@mail.gmail.com>
In-reply-to: <[🔎] kiobes$mjr$1@ger.gmane.org>
References: <[🔎] CAAr43iMP=WzN_sCh-LPdX-e=KzxJqcYru38sx++hUcdPHAAJcA@mail.gmail.com> <[🔎] kiobes$mjr$1@ger.gmane.org>

On Mon, Mar 25, 2013 at 11:06 AM, Hugo Vanwoerkom <hvw59601@care2.com> wrote:
> Joel Rees wrote:
>>
>> I know this is the wrong way to solve the underlying problems, but
>> sometimes brute force is required.
>>
>> I found this ancient post on using PAM and /etc/security/time.conf to
>> accomplish this kind of thing on techrepublic (Complete with typos: A1
>> for Al? What bot edited that?):
>>
>>
>> http://www.techrepublic.com/article/using-pam-to-restrict-access-based-on-time/1055269
>>
>> And I've been puzzling through the man pages (time.conf and so forth),
>> but don't seem to be able to get any effect at all.
>>
>> Here are some of the rules I've tried, one at a time:
>>
>> login; tty*; user1; !Al0000-2400
>>
>> *;*;user1;Al1200-2300
>>
>> *;*;user1;!Al2300-1200
>>
>> I've looked around the man pages for a hint on some daemon that might
>> need to be restarted but haven't seen anything where I've looked so
>> far.
>>
>> I always miss something obvious when I start digging into something
>> like this, anyone care to tell me what I'm missing, before I go off
>> the deep end and start editing the login source code directly? (Seems
>> like it shouldn't be too hard to make login fail based on the time.)
>>
>
> Looks OK to me.

I did not want to hear that.

> Did you try those 2 examples in time.conf?

The silly ones?

Well, it's no longer the weekend here, and I have root login disabled,
so I'll have to monkey with my configuration to try the second one.

And I have no idea what the "blank" service is, so I'd have to
substitute on the first one. I've been looking for a list of names of
services, don't see one. Are those determined by the name of the
executable? Or the process name as shown by ps or something?

And the question that keeps me thinking, tty* are physical terminals,
right? Connected by serial port?

ttyp* are the virtual consoles, such as you switch around when you hit
ctl-alt-Fn? The ones that allow you to login to an X11 session?

I did try substituting login for blank, then swapping the inversion
from ttyp* to tty* . No effect on the ability of non-root users to
login:

login; ttyp* & !ttyp*; !root; !Al0000-2400

and then

login; !ttyp* & tty*; !root; !Al0000-2400

> Hugo

Thanks for the hints..

--
Joel Rees

Reply to:

Follow-Ups:
- Re: restricting login times
  - From: Joel Rees <joel.rees@gmail.com>

References:
- restricting login times
  - From: Joel Rees <joel.rees@gmail.com>
- Re: restricting login times
  - From: Hugo Vanwoerkom <hvw59601@care2.com>

Prev by Date: Re: NEEDED: not quite current buisnesscard and netinst iso images
Next by Date: Re: Running Nvidia Driver Without an xorg.conf?
Previous by thread: Re: restricting login times
Next by thread: Re: restricting login times
Index(es):
- Date
- Thread