English
Ask Your Question
1

How to configure User restriction with (PAM) (a kind of parental control)

asked 2011-11-17 16:44:05 +0000

hhlp gravatar image

I would like to use kernel module Pluggable Authentication Module (PAM) to restrict the access or deny the computer to some user in a specific set of hours. it also can be user limit access for children (a kind of parental control).

specialy using the command-line.....

edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted
2

answered 2011-11-17 16:48:47 +0000

hhlp gravatar image

updated 2011-11-17 17:31:44 +0000

When we talk about forcing a user to log off, what we’re really talking about is implementing time restrictions on the account for system access or services. The easiest way I’ve found to implement time restrictions is using a plug-in module called Linux-PAM.

Pluggable Authentication Module (PAM) is a mechanism for authenticating users. Specifically, we’re going to use the pam_time module to control timed access for users to services.

Using the pam_time module, we can set access restrictions to a system and/or specific applications at various times of the day as well as on specific days or over various terminal lines. Depending on the configuration, you can use this module to deny access to individual users based on their name, the time of day, the day of week, the service they’re applying for, and their terminal from which they’re making the request.

When using pam_time, you must terminate the syntax of each line (or rule) in the /etc/security/time.conf file with a newline. You can comment each line with the pound sign [#], and the system will ignore that text until the newline.

Here’s the syntax for a rule:

services;ttys;users;times

The first field —  services — is a logic list of PAM service names.
The second field — tty — is a logic list of terminal names.
The third field — users — is a logic list of users or a netgroup of users.
The fourth field — times — indicates the applicable times.

Here’s an example of a typical set of rules:

login ; * ; !user ; MoTuWeThFr0800-2000
login ; * ; !user ; !Al0000-2400
http ; * ; !user ; MoTuWeThFr0800-2000
http ; * ; !user; !Al0000-2400

These rules restrict user 'user' from logging on between the hours of 0800 and 2000, and they also restrict Internet access during these hours. Root would be able to logon at any time and browse the Internet during all times as well.

Note: The system logs errors with these rules as syslog(3).


With Fedora, it is possible to assign to your computer time restrictions, to prevent the connection of one or more users to your system. With the time restrictions, you can, for example, limit access to the computer for your children (a kind of parental control, in short), or even protect the connection to your server during certain hours.

Manual Configuration

Understand what you will do

Throughout this tutorial, we will use PAM (Pluggable Authentication Modules. It allows you to control user authentication when they connect. Then, we will use the security configuration files to define logon hours allowed. These manipulations can be performed on any version of Fedora, and require only a simple text editor (vim, emacs, nano, gedit, kate).

Enable Restrictions hours via the PAM Module

If we want to block the connection to the computer, we will have to change the gdm service. Edit the file so gdm and add this line of code (at the end of file):

account required pam_time.so

GDM is the login screen distributions for Fedora Gnome. For Fedora KDE spin ... (more)

edit flag offensive delete link more

Comments

Hi, i would to experience the plugable authentication but I'm stock on change the gdm service. "Edit the file so gdm and add this line of code." I'm new and didn't know which file you were refering to. Can you point out which file I should edit and paste in "account required pam_time.so" thanks!

talkingtek ( 2014-11-18 17:07:01 +0000 )edit

probably /etc/pam.d/password-auth

fche2 ( 2015-02-23 00:42:24 +0000 )edit

Is this still valid for Fedora 25? I mainly want to prevent my kid from browsing Internet and not sleep during the night.

Sampson ( 2017-02-06 07:28:47 +0000 )edit

@Sampson I'm not tested but i think all procedure can be apply to all fedora version except gnome-schedule that packaged is obsolete

hhlp ( 2017-02-08 16:19:32 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Use your votes!

  • Use the 30 daily voting points that you get!
  • Up-vote well framed questions that provide enough information to enable people provide answers.
  • Thank your helpers by up-voting their comments and answers. If a question you asked has been answered, accept the best answer by clicking on the checkbox on the left side of the answer.
  • Down-voting might cost you karma, but you should consider doing so for incorrect or clearly detrimental questions and answers.

Question Tools

Follow
3 followers

Stats

Asked: 2011-11-17 16:44:05 +0000

Seen: 8,638 times

Last updated: Nov 17 '11