[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

How to use PAM to restrict user login for certain time

Posted on 2010-08-29
12
Medium Priority
?
949 Views
Last Modified: 2013-12-06
Hi guys,
I think PAM is used with NIS, by creating users on NIS server and enable client to login to their machines through users created on NIS server (just like windows active directory).

The question is can I use PAM to on local machine (without using NIS)  to restrict users login to linux system for certain time?
0
Comment
Question by:rawandnet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 7

Expert Comment

by:mcuk_storm
ID: 33553479
There is a useful guide on this topic over at techrepublic: http://articles.techrepublic.com.com/5100-10878_11-1055269.html
0
 

Author Comment

by:rawandnet
ID: 33564886
I have followed all steps, but it has no affect, It is just like nothing been done!!
0
 
LVL 14

Expert Comment

by:cjl7
ID: 33584076
Make sure your system-auth-ac loads the correct sub-sections of pam. For example "session".

//jonas
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:rawandnet
ID: 33584201
how to do that?
0
 
LVL 14

Expert Comment

by:cjl7
ID: 33588248
Could you post your /etc/pam.d/system-auth-ac ?

//jonas
0
 

Author Comment

by:rawandnet
ID: 33605697
content fo /etc/pam.d/system-auth-ac is:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

0
 
LVL 14

Expert Comment

by:cjl7
ID: 33628212
Well, you need to enable the module (pam_time) in the account section.

Be very careful, this might break things!!! Do not logout of all your shells as root when you try this!!! (and so on...)

Consider yourself warned. ;)

If you have followed the HOWTO mentioned before all you need to enforce this is to add the following to your system-auth-ac in the account section

account  required  pam_time.so

You don't need to restart pam to test this, and be sure to verify thoroughly before you logout of your shells.

//jonas
0
 

Author Comment

by:rawandnet
ID: 33660224

Under /etc/pam.d/system-auth-ac I added the highlighted text.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
 
account     required      pam_time.so
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
 
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass use_authtok
password    required      pam_deny.so
 
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
 


Under /etc/security/time.conf for testing I denied access to all users, including root
*;*;*;!A10000-2400
But still root users and other users can login to the system, why is that?
0
 
LVL 14

Expert Comment

by:cjl7
ID: 33662273
Hmm, try to put it under the 'session' part.
0
 

Author Comment

by:rawandnet
ID: 33669428
still deoesn't work! put it under

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
account     required      pam_time.so
0
 
LVL 14

Accepted Solution

by:
cjl7 earned 2000 total points
ID: 33669792
Sorry, my bad.

You have to change account     required      pam_time.so  to session     required      pam_time.so
0
 

Author Closing Comment

by:rawandnet
ID: 33700049
thank you
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you sitting there reading this and wondering how to get started with Linux? It almost seems like picking the right Linux distribution is about like picking the right college or buying a new car if you read some of the article out there. Relax… l…
The purpose of this article is to show how we can create Linux Mint virtual machine using Oracle Virtual Box. To install Linux Mint we have to download the ISO file from its website i.e. http://www.linuxmint.com. Once you open the link you will see …
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question