1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
|
<!--
$Id$
This file was written by Andrew G. Morgan <morgan@kernel.org>
-->
<sect1>Time control
<sect2>Synopsis
<p>
<descrip>
<tag><bf>Module Name:</bf></tag>
<tt/pam_time/
<tag><bf>Author:</bf></tag>
Andrew G. Morgan <tt><morgan@kernel.org></tt>
<tag><bf>Maintainer:</bf></tag>
Author
<tag><bf>Management groups provided:</bf></tag>
account
<tag><bf>Cryptographically sensitive:</bf></tag>
<tag><bf>Security rating:</bf></tag>
<tag><bf>Clean code base:</bf></tag>
<tag><bf>System dependencies:</bf></tag>
Requires a configuration file <tt>/etc/security/time.conf</tt>
<tag><bf>Network aware:</bf></tag>
Through the <tt/PAM_TTY/ item only
</descrip>
<sect2>Overview of module
<p>
Running a well regulated system occasionally involves restricting
access to certain services in a selective manner. This module offers
some time control for access to services offered by a system. Its
actions are determined with a configuration file. This module can be
configured to deny access to (individual) users based on their name,
the time of day, the day of week, the service they are applying for
and their terminal from which they are making their request.
<sect2>Account component
<p>
<descrip>
<tag><bf>Recognized arguments:</bf></tag>
<tag><bf>Description:</bf></tag>
This module bases its actions on the rules listed in its configuration
file: <tt>/etc/security/pam.conf</tt>. Each rule has the following
form,
<tscreen>
<em/services/<tt/;/<em/ttys/<tt/;/<em/users/<tt/;/<em/times/
</tscreen>
In words, each rule occupies a line, terminated with a newline or the
beginning of a comment; a `<tt/#/'. It contains four fields separated
with semicolons, `<tt/;/'. The fields are as follows:
<p>
<itemize>
<item><em/services/ -
a logic list of service names that are affected by this rule.
<item><em/ttys/ -
a logic list of terminal names indicating those terminals covered by
the rule.
<item><em/user/ -
a logic list of usernames to which this rule applies
<p>
By a logic list we mean a sequence of tokens (associated with the
appropriate <tt/PAM_/ item), containing no more than one wildcard
character; `<tt/*/', and optionally prefixed with a negation operator;
`<tt/!/'. Such a sequence is concatenated with one of two logical
operators: <tt/&/ (logical AND) and <tt/|/ (logical OR). Two
examples are: <tt>!morgan&!root</tt>, indicating that this rule
does not apply to the user <tt>morgan</tt> nor to <tt>root</tt>; and
<tt>tty*&!ttyp*</tt>, which indicates that the rule applies only
to console terminals but not pseudoterminals.
<item><em/times/ - a logic list of times at which this rule
applies. The format of each element is a day/time-range. The days are
specified by a sequence of two character entries. For example,
<tt/MoTuSa/, indicates Monday Tuesday and Saturday. Note that
repeated days are <em/unset/; <tt/MoTuMo/ indicates Tuesday, and
<tt/MoWk/ means all weekdays bar Monday. The two character
combinations accepted are,
<tscreen>
<verb>
Mo Tu We Th Fr Sa Su Wk Wd Al
</verb>
</tscreen>
The last two of these being <em/weekend/ days and <em/all 7 days/ of
the week respectively.
<p>
The time range part is a pair of 24-hour times, <em/HHMM/, separated
by a hyphen -- indicating the start and finish time for the rule. If
the finsish time is smaller than the start time, it is assumed to
apply on the following day. For an example, <tt/Mo1800-0300/ indicates
that the permitted times are Monday night from 6pm to 3am the
following morning.
</itemize>
<p>
Note, that the given time restriction is only applied when the first
three fields are satisfied by a user's application for service.
<p>
For convenience and readability a rule can be extended beyond a single
line with a `<tt>\</tt><em/newline/'.
<tag><bf>Examples/suggested usage:</bf></tag>
The use of this module is initiated with an entry in the
<bf/Linux-PAM/ configuration file of the following type:
<tscreen>
<verb>
#
# apply pam_time accounting to login requests
#
login account required pam_time.so
</verb>
</tscreen>
where, here we are applying the module to the <em/login/ application.
<p>
Some examples of rules that can be placed in the
<tt>/etc/security/time.conf</tt> configuration file are the following:
<descrip>
<tag><tt>login ; tty* & !ttyp* ; !root ; !Al0000-2400</tt></tag>
all users except for <tt/root/ are denied access to console-login at
all times.
<tag><tt>games ; * ; !waster ; Wd0000-2400 | Wk1800-0800</tt></tag>
games (configured to use Linux-PAM) are only to be accessed out of
working hours. This rule does not apply to the user <tt/waster/.
</descrip>
<p>
Note, currently there is no daemon enforcing the end of a session.
This needs to be remedied.
<p>
Poorly formatted rules are logged as errors using <tt/syslog(3)/.
</descrip>
<!--
End of sgml insert for this module.
-->
|
