LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   pam time restrictions not working !!? (https://www.linuxquestions.org/questions/linux-newbie-8/pam-time-restrictions-not-working-782108/)

kingston 01-14-2010 12:56 AM

pam time restrictions not working !!?
 
hi all
I dont want to allow the user winny on saturday and sundays. I added the following line in the /etc/security/time.conf file.

login;*;winny;!SaSu0000-2400

Then i added the following line in the /etc/pam.d/login file.

account required pam_time.so

this is the first line of that login file. But if i tried to login with the username winny it allows me to get log in. Is anything has to be change? I need ur help guys.

Tinkster 01-14-2010 01:19 AM

Not if it's not the weekend. You told PAM to block winny for 48 hours of
the weekend, which is a day away (for me, anyway; your mileage may vary).

kingston 01-14-2010 03:14 AM

thats just a example yaar...ok take it...
login;*;winny;!Al0000-2400

even if i add the above line, it is not working?...What do you say now?

kingston 01-19-2010 05:02 AM

how to block users for particular days?
 
hi all
i dont want to allow the user winny on saturday and sundays. Can someone tell me how to implement this on RHEL 5?

Thanks in advance.

linuxlover.chaitanya 01-19-2010 05:23 AM

Are you talking about denying in squid?

chrism01 01-19-2010 05:45 PM

For logins etc ,try pam_time http://www.kernel.org/pub/linux/libs...-pam_time.html

kingston 01-20-2010 12:33 AM

hi chrism01
i have added the following line to /etc/security/time.conf file
login;*;winston;!We0000-2400
then i add a entry in /etc/pam.d/login file
i.e

account required pam_time.so

But, now i login locally through Command line interface, it denied me. Well, But through GUI it allows me to login as winston. If i do rlogin or ssh from other clients that is also working. I want to restrict that user in all the way. How can i do this?

chrism01 01-20-2010 12:42 AM

If you look in /etc/pam.d there's probably (should be) an sshd file to edit as well.
Not sure about X-win, but there should a a relevant file in there.
You'll also have to make sure that user is completely logged out. iirc, the GUI clones the first login and just copies it, so it might not notice the change.
Don't have a Linux system here with X-win to check.

kirukan 01-20-2010 12:55 AM

refer the following
http://tuxradar.com/answers/283

kingston 01-20-2010 01:06 AM

sorry chrism01..it doesnt works...here is the content of the pam.d/sshd file ( i've added the line "account required pam_time.so"

#%PAM-1.0
account required pam_time.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
~
~

rebooted the machine one time. Then i tried to login throgh ssh from one of my client. It allows.
sssssssshhhhhhhhh....what to do?

forrestt 01-20-2010 01:29 AM

Add the following to root crontab file:

Code:

0 0 * * 0 6 passwd -l winny
0 0 * * 0 6 killall -u winny
23 59 * * 0 0 passwd -u winny

May not be the prettiest way to do it, but it should work.

HTH

Forrest

kingston 01-20-2010 04:59 AM

i blocked the rlogin and ssh by made an entry in the /etc/security/time.conf file.
The entries are
login;*;winny;!We0000-2400
sshd;*;winny;!We0000-2400
rlogin;*;winny;!We0000-2400
and also in /etc/pam.d/sshd and rlogin file. Everything works fine except the local GUI. In GUI it allows me to log in. I think the crontab will do for GUI.

Let me try !!

Thanks for the help gurus....

chrism01 01-20-2010 05:45 PM

I'd ask RH, assuming that's a registered system. I'd like to know the (proper) solution myself.

kingston 01-20-2010 11:29 PM

that would be great...i will wait for that...i am happy that i have asked a good question and ur approach to know the answer..

Tinkster 01-21-2010 12:11 AM

What happens when you replace 'login' with "system-auth' or '*'?
Untested - my slack machine doesn't use PAM at this stage.


Cheers,
Tink


P.S.: I merged your two threads.


All times are GMT -5. The time now is 01:34 AM.