Re: restricting login times

To: debian-user@lists.debian.org
Subject: Re: restricting login times
From: Joel Rees <joel.rees@gmail.com>
Date: Mon, 25 Mar 2013 20:40:38 +0900
Message-id: <[🔎] CAAr43iPZS9iNOezyqqKReUQMEKAiEvYNEPhyT-S1qRz3eDtnBA@mail.gmail.com>
In-reply-to: <[🔎] kiobes$mjr$1@ger.gmane.org>
References: <[🔎] CAAr43iMP=WzN_sCh-LPdX-e=KzxJqcYru38sx++hUcdPHAAJcA@mail.gmail.com> <[🔎] kiobes$mjr$1@ger.gmane.org>

Good news and bad news.

On Mon, Mar 25, 2013 at 11:06 AM, Hugo Vanwoerkom <hvw59601@care2.com> wrote:
> Joel Rees wrote:
>>
>> I know this is the wrong way to solve the underlying problems, but
>> sometimes brute force is required.
>>
>> [...]
>> Here are some of the rules I've tried, one at a time:
>>
>> login; tty*; user1; !Al0000-2400
>>
>> *;*;user1;Al1200-2300
>>
>> *;*;user1;!Al2300-1200
>>
>> I've looked around the man pages for a hint on some daemon that might
>> need to be restarted but haven't seen anything where I've looked so
>> far.
>>
>> I always miss something obvious when I start digging into something
>> like this, anyone care to tell me what I'm missing, before I go off
>> the deep end and start editing the login source code directly? (Seems
>> like it shouldn't be too hard to make login fail based on the time.)
>>
>
> Looks OK to me. Did you try those 2 examples in time.conf?
>
> Hugo

I didn't have to get either the silly or simple example working.

Tried, but I couldn't, without enabling pam_time in /etc/pam.d .

In each of

/etc/pam.d/login

and

/etc/pam.d/su

Uncommented the line

# account    requisite  pam_time.so

And put the line

*;*;user1;!Al0000-2400

(all day, which is not the ultimate goal) in

/etc/security/time.conf

and PAM blocks console login for user1, with the message "Login
denied" or something like that. But not X11.

Getting close.

So, I added the line

account    required        pam_time.so

(required, not requisite) to

/etc/pam.d/gdm

and that blocks user1 from logging in to xfce4 through gdm. I assume
it won't block xfce4 through kdm if I install kdm.

I'm not sure about the change from requisite to required for gdm. I
know it has to be account.

So, now that I know it works, the line (for now) in

/etc/security/time.conf

is

*;*;userb, userg,userp;!Al2300-0500

to keep my kids from logging in while I'm asleep.

Getting them to understand why they have to exercise self control when
they can't see the dangers themselves will require a completely
different course, and this particular technique may make that course
so much harder, but I have to get some sleep.

--
Joel Rees

Reply to:

Follow-Ups:
- Re: restricting login times
  - From: Rob Owens <rowens@ptd.net>

References:
- restricting login times
  - From: Joel Rees <joel.rees@gmail.com>
- Re: restricting login times
  - From: Hugo Vanwoerkom <hvw59601@care2.com>

Prev by Date: Re: Fwd: Running Nvidia Driver Without an xorg.conf?
Next by Date: Re: need advice on remote installation of Debian
Previous by thread: Re: restricting login times
Next by thread: Re: restricting login times
Index(es):
- Date
- Thread