Restricting Login in Linux

By Thomas Vachon

When we talk about forcing a user to log off, what we're really talking about is time restrictions on certain account system access and services. The easiest way I've found to implement time restrictions is by using software called Linux-PAM

Pluggable Authentication Module (PAM) is a mechanism for authenticating users. Specifically, we're going to use the pam_time module to control timed access for users to services.

Using the pam_time module, we can set access restrictions to a system and/or specific applications at various times of the day as well as on specific days. Depending on the configuration, you can use this module to deny access to individual users based on their name, the time of day, the day of week, the service they're applying for, and their terminal from which they're making the request.

When using pam_time, you must terminate the syntax or rule in the /etc/security/time.conf file with a newline.

Always remeber that pound sign [#] is a comment and the system will ignore that text inline to it.

This is an example configuration file for the pam_time module.
The syntax of the lines is as follows:

  1. The first field services = list of PAM service names.
  2. The second field tty = logic list of terminal names.
  3. The third field user = is a logic list of users or a netgroup of users.
  4. The fourth field times = indicates the applicable times.

Here's an example of a typical set of rules:</p>

login ; \* ; !root ; 0800-2000

http ; \* ; !root; 0800-2000

ftp ; \* ; !root; 0800-2000

These rules restrict user ron from logging on between the hours of 0800 and 2000. They also restrict http and ftp access during these hours.

Root would be able to logon at any time and browse the Internet during all times as well.