Re: restricting login times

To: debian-user@lists.debian.org
Subject: Re: restricting login times
From: Joel Rees <joel.rees@gmail.com>
Date: Mon, 25 Mar 2013 15:06:14 +0900
Message-id: <[🔎] CAAr43iPYutn6KBmfNGBqEF66+1y1Hmj61tzCJuJGS=MSduMHjA@mail.gmail.com>
In-reply-to: <[🔎] CAAr43iMH+KhJw1a2RkLJ2JagRQ=7fLnN7Wdv_2dNvN16nBgrpA@mail.gmail.com>
References: <[🔎] CAAr43iMP=WzN_sCh-LPdX-e=KzxJqcYru38sx++hUcdPHAAJcA@mail.gmail.com> <[🔎] kiobes$mjr$1@ger.gmane.org> <[🔎] CAAr43iMH+KhJw1a2RkLJ2JagRQ=7fLnN7Wdv_2dNvN16nBgrpA@mail.gmail.com>

erk.

On Mon, Mar 25, 2013 at 2:33 PM, Joel Rees <joel.rees@gmail.com> wrote:
> On Mon, Mar 25, 2013 at 11:06 AM, Hugo Vanwoerkom <hvw59601@care2.com> wrote:
>> Joel Rees wrote:
>>>
>>> I know this is the wrong way to solve the underlying problems, but
>>> sometimes brute force is required.
>>>
>>> I found this ancient post on using PAM and /etc/security/time.conf to
>>> accomplish this kind of thing on techrepublic (Complete with typos: A1
>>> for Al? What bot edited that?):
>>>
>>>
>>> http://www.techrepublic.com/article/using-pam-to-restrict-access-based-on-time/1055269
>>>
>>> And I've been puzzling through the man pages (time.conf and so forth),
>>> but don't seem to be able to get any effect at all.
>>>
>>> Here are some of the rules I've tried, one at a time:
>>>
>>> login; tty*; user1; !Al0000-2400
>>>
>>> *;*;user1;Al1200-2300
>>>
>>> *;*;user1;!Al2300-1200
>>>
>>> I've looked around the man pages for a hint on some daemon that might
>>> need to be restarted but haven't seen anything where I've looked so
>>> far.
>>>
>>> I always miss something obvious when I start digging into something
>>> like this, anyone care to tell me what I'm missing, before I go off
>>> the deep end and start editing the login source code directly? (Seems
>>> like it shouldn't be too hard to make login fail based on the time.)
>>>
>>
>> Looks OK to me.
>
> I did not want to hear that.
>
>> Did you try those 2 examples in time.conf?
>
> The silly ones?
>
> Well, it's no longer the weekend here, and I have root login disabled,
> so I'll have to monkey with my configuration to try the second one.
>
> And I have no idea what the "blank" service is, so I'd have to
> substitute on the first one. I've been looking for a list of names of
> services, don't see one. Are those determined by the name of the
> executable? Or the process name as shown by ps or something?
>
> And the question that keeps me thinking, tty* are physical terminals,
> right? Connected by serial port?
>
> ttyp* are the virtual consoles, such as you switch around when you hit
> ctl-alt-Fn? The ones that allow you to login to an X11 session?
>
> I did try substituting login for blank, then swapping the inversion
> from ttyp* to tty* . No effect on the ability of non-root users to
> login:
>
> login; ttyp* & !ttyp*; !root; !Al0000-2400

login; tty* & !ttyp*; !root; !Al0000-2400

> and then
>
> login; !ttyp* & tty*; !root; !Al0000-2400

login; ttyp* & !tty*; !root; !Al0000-2400

>> Hugo
>
> Thanks for the hints..

Hmm. Shutting down access to non-root users from all consoles would be

login; !tty* & !ttyp*; !root; !Al0000-2400

or even

login; !*; !root; !Al0000-2400

Nope. Can't get any variation of logic with the tty* and ttyp* to
restrict login, either.

PAM is putting out log messages to the effect of successful logins, so
PAM itself seems to be operational.

--
Joel Rees

Reply to:

References:
- restricting login times
  - From: Joel Rees <joel.rees@gmail.com>
- Re: restricting login times
  - From: Hugo Vanwoerkom <hvw59601@care2.com>
- Re: restricting login times
  - From: Joel Rees <joel.rees@gmail.com>

Prev by Date: Re: Running Nvidia Driver Without an xorg.conf?
Next by Date: Re: Running Nvidia Driver Without an xorg.conf?
Previous by thread: Re: restricting login times
Next by thread: Re: restricting login times
Index(es):
- Date
- Thread