English

# How to configure User restriction with (PAM) (a kind of parental control)

I would like to use kernel module Pluggable Authentication Module (PAM) to restrict the access or deny the computer to some user in a specific set of hours. it also can be user limit access for children (a kind of parental control).

specialy using the command-line.....

edit retag close merge delete

Sort by » oldest newest most voted

When we talk about forcing a user to log off, what we’re really talking about is implementing time restrictions on the account for system access or services. The easiest way I’ve found to implement time restrictions is using a plug-in module called Linux-PAM.

Pluggable Authentication Module (PAM) is a mechanism for authenticating users. Specifically, we’re going to use the pam_time module to control timed access for users to services.

Using the pam_time module, we can set access restrictions to a system and/or specific applications at various times of the day as well as on specific days or over various terminal lines. Depending on the configuration, you can use this module to deny access to individual users based on their name, the time of day, the day of week, the service they’re applying for, and their terminal from which they’re making the request.

When using pam_time, you must terminate the syntax of each line (or rule) in the /etc/security/time.conf file with a newline. You can comment each line with the pound sign [#], and the system will ignore that text until the newline.

Here’s the syntax for a rule:

services;ttys;users;times

The first field —  services — is a logic list of PAM service names.
The second field — tty — is a logic list of terminal names.
The third field — users — is a logic list of users or a netgroup of users.
The fourth field — times — indicates the applicable times.


Here’s an example of a typical set of rules:

login ; * ; !user ; MoTuWeThFr0800-2000
login ; * ; !user ; !Al0000-2400
http ; * ; !user ; MoTuWeThFr0800-2000
http ; * ; !user; !Al0000-2400


These rules restrict user 'user' from logging on between the hours of 0800 and 2000, and they also restrict Internet access during these hours. Root would be able to logon at any time and browse the Internet during all times as well.

Note: The system logs errors with these rules as syslog(3).

With Fedora, it is possible to assign to your computer time restrictions, to prevent the connection of one or more users to your system. With the time restrictions, you can, for example, limit access to the computer for your children (a kind of parental control, in short), or even protect the connection to your server during certain hours.

Manual Configuration

Understand what you will do

Throughout this tutorial, we will use PAM (Pluggable Authentication Modules. It allows you to control user authentication when they connect. Then, we will use the security configuration files to define logon hours allowed. These manipulations can be performed on any version of Fedora, and require only a simple text editor (vim, emacs, nano, gedit, kate).

Enable Restrictions hours via the PAM Module

If we want to block the connection to the computer, we will have to change the gdm service. Edit the file so gdm and add this line of code (at the end of file):

account required pam_time.so


GDM is the login screen distributions for Fedora Gnome. For Fedora KDE spin ...

more

Hi, i would to experience the plugable authentication but I'm stock on change the gdm service. "Edit the file so gdm and add this line of code." I'm new and didn't know which file you were refering to. Can you point out which file I should edit and paste in "account required pam_time.so" thanks!

( 2014-11-18 17:07:01 +0000 )edit

( 2015-02-23 00:42:24 +0000 )edit

Is this still valid for Fedora 25? I mainly want to prevent my kid from browsing Internet and not sleep during the night.

( 2017-02-06 07:28:47 +0000 )edit

@Sampson I'm not tested but i think all procedure can be apply to all fedora version except gnome-schedule that packaged is obsolete

( 2017-02-08 16:19:32 +0000 )edit

# Software available ready to use

I have found this elaborated collection of scripts called kidtimer (only using linux standard tools) which implement a kidtimer with extra features like keys for prolonging the time available (e.g. for doing homework on the computer etc.). A package is available for Debian and Ubuntu systems.

# Do it yourself

My answer tells you how to restrict access for your children on Fedora 24 (now the challenge for my children is to hack the system (finding this answer!) by using a live system booted from USB stick and editing the files for example).

### General approach

I have used this answer from the fedoraforum and did the following things on my Fedora 24 system.

I edited /etc/security/time.conf and added:

* ; * ; daughter | son | seconddaughter | secondson ; Al0700-0900


(which means, that access for the users called daughter, son, seconddaughter and secondson is only allowed on all days (Al) between 7 and 9 o’clock in the morning (0700-0900). But, that was not enough. I also changed the line

account    required     pam_nologin.so


to

account    required     pam_nologin.so
account    required     pam_time.so


in every file that I found with this command

grep nologin /etc/pam.d/*


Maybe that was to general. But it worked as expected.

I think one could be more specific and match only the services login and gdm-password (as on our computer we only log in via password, not via fingerprint etc.). That means, the matching line would look like this (in the file /etc/security/time.conf):

login | gdm-password ; * ; daughter | son | seconddaughter | secondson ; Al0700-0900


and therefore it is only needed to edit the files /etc/pam.d/login and /etc/pam.d/gdm-password in the way described above.

## Automatic logout

Now how to restrict time logged in? Or how to do automatic log out? I have found two approaches:

Both is very mean and destructive, because it can destroy unsaved work. Therefore a recommendation is to show warnings some minutes before the kill or poweroff using zenity which is also started from a cronjob.

### My implementation

#### Show warning

Ok, here is my implementation. I edited the cron file of every affected user via the command crontab -e and added the following lines (two warnings are displayed: the first one 10 minutes before 9 o’clock, the second one 5 minutes before):

# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
50 8 *  *  *        /usr/bin/bash -c 'for number in 0 1 2 3 4 5 6 7 8 9; do /usr/bin/zenity --warning --text="You have ...
more

[hide preview]