188.8.131.52. Adding a PAM module: restricting access by time and user
We can tighten up the security of the system by adding additional modules into the configuration file. For example, you can restrict SSH access to certain times of day using the pam_time.so module.
Before editing any PAM configuration file, make a backup copy. You should also keep a root shell open in a virtual terminal or terminal window in case your changes accidentally lock you out of the system. Test the new configuration thoroughly before closing the root shell!
Edit /etc/pam.d/sshd to add pam_time.so in the account section:
auth include system-auth
account required pam_time.so
account include system-auth
password include system-auth
session include system-auth
session required pam_loginuid.so
Notice that the sequence of the lines is critical; if you place the pam_time.so line after the file system-auth is included, it will be ignored for users with IDs less than 500 (such as root) due to the pam_succeed_if.so line in system-auth.
The pam_time.so module restricts access based on the contents of the file /etc/security/time.conf , which is a text file with four semicolon-delimited fields per line. The fields are:
Must match the name of the service file in /etc/pam.d ( sshd in this example).
Terminal device names (not useful in this context, so we'll use * to match all terminals).
A list of usernames, combined using ! (not), & (and), or | (or).
A list of days (any combination of Su , Mo , Tu , We , Th , Fr , or Sa or Wk for weekdays, Wd for weekends, or Al for all days) concatenated to a range of times, expressed in 24-hour format (such as 0600-1800 for 6 a.m. to 6 p.m., local time).
The default /etc/security/time.conf contains extensive notes on the line format.
To prevent all users other than root from connecting via SSH during evenings and weekends, place these lines in /etc/security/time.conf :
# Limit ssh for non-root users to 8 am to 5 pm on weekdays
Note that if there is no line in /etc/security/time.conf that applies to a particular connection, it is permitted by default. These restrictions also apply only when a user logs in; once logged in, the user may stay connected for as long as he chooses.
To place a time restriction on all types of loginwhether through SSH, a local character-mode virtual terminal, or the GUIplace the entry for the pam_time.so module in /etc/pam.d/system-auth instead of /etc/pam.d/sshd :
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_time.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
You can then create separate rules for each type of user access in /etc/security/time.conf :
# Character-mode login - Only root is permitted (any time).
# Remote login via ssh - Root is always permitted, other
# users are permitted 8 am to 5 pm on weekdays.
# Graphical-mode login - Not available to root.
# Switching user via 'su' command - not permitted unless
# switching -to- the root user. Note that the root user
# can switch to any other user because of the pam_rootok.so
# module line in /etc/pam.d/su