English
Ask Your Question
2

How to configure User restriction with (PAM) (a kind of parental control)

asked 2011-11-17 16:44:05 +0000

hhlp gravatar image

I would like to use kernel module Pluggable Authentication Module (PAM) to restrict the access or deny the computer to some user in a specific set of hours. it also can be user limit access for children (a kind of parental control).

specialy using the command-line.....

edit retag flag offensive close merge delete

2 answers

Sort by » oldest newest most voted
2

answered 2011-11-17 16:48:47 +0000

hhlp gravatar image

updated 2011-11-17 17:31:44 +0000

When we talk about forcing a user to log off, what we’re really talking about is implementing time restrictions on the account for system access or services. The easiest way I’ve found to implement time restrictions is using a plug-in module called Linux-PAM.

Pluggable Authentication Module (PAM) is a mechanism for authenticating users. Specifically, we’re going to use the pam_time module to control timed access for users to services.

Using the pam_time module, we can set access restrictions to a system and/or specific applications at various times of the day as well as on specific days or over various terminal lines. Depending on the configuration, you can use this module to deny access to individual users based on their name, the time of day, the day of week, the service they’re applying for, and their terminal from which they’re making the request.

When using pam_time, you must terminate the syntax of each line (or rule) in the /etc/security/time.conf file with a newline. You can comment each line with the pound sign [#], and the system will ignore that text until the newline.

Here’s the syntax for a rule:

services;ttys;users;times

The first field —  services — is a logic list of PAM service names.
The second field — tty — is a logic list of terminal names.
The third field — users — is a logic list of users or a netgroup of users.
The fourth field — times — indicates the applicable times.

Here’s an example of a typical set of rules:

login ; * ; !user ; MoTuWeThFr0800-2000
login ; * ; !user ; !Al0000-2400
http ; * ; !user ; MoTuWeThFr0800-2000
http ; * ; !user; !Al0000-2400

These rules restrict user 'user' from logging on between the hours of 0800 and 2000, and they also restrict Internet access during these hours. Root would be able to logon at any time and browse the Internet during all times as well.

Note: The system logs errors with these rules as syslog(3).


With Fedora, it is possible to assign to your computer time restrictions, to prevent the connection of one or more users to your system. With the time restrictions, you can, for example, limit access to the computer for your children (a kind of parental control, in short), or even protect the connection to your server during certain hours.

Manual Configuration

Understand what you will do

Throughout this tutorial, we will use PAM (Pluggable Authentication Modules. It allows you to control user authentication when they connect. Then, we will use the security configuration files to define logon hours allowed. These manipulations can be performed on any version of Fedora, and require only a simple text editor (vim, emacs, nano, gedit, kate).

Enable Restrictions hours via the PAM Module

If we want to block the connection to the computer, we will have to change the gdm service. Edit the file so gdm and add this line of code (at the end of file):

account required pam_time.so

GDM is the login screen distributions for Fedora Gnome. For Fedora KDE spin ... (more)

edit flag offensive delete link more

Comments

Hi, i would to experience the plugable authentication but I'm stock on change the gdm service. "Edit the file so gdm and add this line of code." I'm new and didn't know which file you were refering to. Can you point out which file I should edit and paste in "account required pam_time.so" thanks!

talkingtek ( 2014-11-18 17:07:01 +0000 )edit

probably /etc/pam.d/password-auth

fche2 ( 2015-02-23 00:42:24 +0000 )edit

Is this still valid for Fedora 25? I mainly want to prevent my kid from browsing Internet and not sleep during the night.

Sampson ( 2017-02-06 07:28:47 +0000 )edit

@Sampson I'm not tested but i think all procedure can be apply to all fedora version except gnome-schedule that packaged is obsolete

hhlp ( 2017-02-08 16:19:32 +0000 )edit
2

answered 2017-05-01 17:13:59 +0000

erik gravatar image

updated 2017-06-01 14:47:37 +0000

Software available ready to use

I have found this elaborated collection of scripts called kidtimer (only using linux standard tools) which implement a kidtimer with extra features like keys for prolonging the time available (e.g. for doing homework on the computer etc.). A package is available for Debian and Ubuntu systems.

Do it yourself

My answer tells you how to restrict access for your children on Fedora 24 (now the challenge for my children is to hack the system (finding this answer!) by using a live system booted from USB stick and editing the files for example).

Time restricted log in

General approach

I have used this answer from the fedoraforum and did the following things on my Fedora 24 system.

I edited /etc/security/time.conf and added:

* ; * ; daughter | son | seconddaughter | secondson ; Al0700-0900

(which means, that access for the users called daughter, son, seconddaughter and secondson is only allowed on all days (Al) between 7 and 9 o’clock in the morning (0700-0900). But, that was not enough. I also changed the line

account    required     pam_nologin.so

to

account    required     pam_nologin.so
account    required     pam_time.so

in every file that I found with this command

grep nologin /etc/pam.d/*

Only forbid local password log in

Maybe that was to general. But it worked as expected.

I think one could be more specific and match only the services login and gdm-password (as on our computer we only log in via password, not via fingerprint etc.). That means, the matching line would look like this (in the file /etc/security/time.conf):

login | gdm-password ; * ; daughter | son | seconddaughter | secondson ; Al0700-0900

and therefore it is only needed to edit the files /etc/pam.d/login and /etc/pam.d/gdm-password in the way described above.

Automatic logout

Now how to restrict time logged in? Or how to do automatic log out? I have found two approaches:

Both is very mean and destructive, because it can destroy unsaved work. Therefore a recommendation is to show warnings some minutes before the kill or poweroff using zenity which is also started from a cronjob.

My implementation

Show warning

Ok, here is my implementation. I edited the cron file of every affected user via the command crontab -e and added the following lines (two warnings are displayed: the first one 10 minutes before 9 o’clock, the second one 5 minutes before):

# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
  50 8 *  *  *        /usr/bin/bash -c 'for number in 0 1 2 3 4 5 6 7 8 9; do /usr/bin/zenity --warning --text="You have ...
(more)
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Use your votes!

  • Use the 30 daily voting points that you get!
  • Up-vote well framed questions that provide enough information to enable people provide answers.
  • Thank your helpers by up-voting their comments and answers. If a question you asked has been answered, accept the best answer by clicking on the checkbox on the left side of the answer.
  • Down-voting might cost you karma, but you should consider doing so for incorrect or clearly detrimental questions and answers.

Question Tools

Follow
4 followers

Stats

Asked: 2011-11-17 16:44:05 +0000

Seen: 8,994 times

Last updated: Jun 01