Restrict the times a user is allowed to log in

Question

We have several Backbox 3.13 systems built on Ubuntu 12.04. One of my teenagers does not understand the concept of this thing called "sleep" and tends to get up to play on the computer. I'm trying to limit that action. We did try Nanny which worked for a few days. Then, even though the settings were still in place, it was still allowing said teen to gain access to her user account and Internet.

After some research, I decided to try modifying /etc/security/time.conf. Apparently, I am not doing it correctly because, no matter which commands I enter into to the file, we can still log in to her user account. We do not want her to have access from 9 PM to 6 AM. We do still need for me to have access to the computer all of the time. Here are several syntaxes that I have tried:

1. login;*;username;A12100-0600
2. login;*;username;!A12100-0600
3. login;*;username;!A12100-0600
   login;*;my username;A10000-2400
4. login;*;!username;A12100-0600

I'm going nuts over here with trying to figure out how to do this. I'm sure that it's something simple that I am missing, or that I am entering incorrectly. Any assistance would be appreciated.

Try `login;*;daughter;A10600-2100`. That should only allow logins between 6 AM and 9 PM. If that doesn't work, then perhaps `*;*;daughter;A10600-2100`. If it works, you would also want to have a `cron` job that kills your daughter's sessions at 9 PM as this only stops new sessions from being started. There are some details [here](https://ask.fedoraproject.org/en/question/7260/how-to-configure-user-restriction-with-pam-a-kind-of-parental-control/) — Warwick, Aug 18 '14 at 00:44
Unfortunately, this did not work. I tried login;*;daughter;A10600-1900 to test the solution to no avail. I also tried *;*;daughter;A10600-1900 with no positive results. This should work, but doesn't. Is it because of the Unity system? — user81117, Aug 18 '14 at 01:04
Have you configured `pam` to use `pam_time`? If not, you need `account required pam_time.so` in both `/etc/pam.d/gdm` and `/etc/pam.d/login` just below the `auth` entries. — Warwick, Aug 18 '14 at 01:14
I added those lines in to the /gdm and /login files and then re-entered the info into the config file. We still have no joy on this end. I'm Googling now to make sure I entered the line into the correct spot on the /gdm file. — user81117, Aug 18 '14 at 02:11
According to https://ask.fedoraproject.org/en/question/7260/how-to-configure-user-restriction-with-pam-a-kind-of-parental-control/, (Sorry about the long URL) I should be terminating the command by entering in a new line. I comment that line out with a # sign, right? It also says that the account required pam_time.so goes at the end of the /gdm file. I know one thing for sure. Once this is figured out, I won't forget so quickly again! — user81117, Aug 18 '14 at 02:39
Yes, comments begin with a `#`. I am unsure what you are commenting out though. — Warwick, Aug 18 '14 at 03:01
Documentation states that the system won't read a command unless it's followed up with a new line. So, I've tried it two ways. One was with just a line break (pressing enter) and saving the file. The other was a line break, then the # symbol. I didn't have anything to actually enter into a new line but didn't know if I needed to enter content to a new line in order for the first command to be read. Neither way worked. Headed to bed and will pick this up again in the a.m. — user81117, Aug 18 '14 at 03:26
How is your daughter logging in? On the server itself, or via `SSH` or similar? If it isn't on the server itself, then you need to edit the appropriate `/etc/pam.d` file, e.g. `/etc/pam.d/sshd`. You would need to add the line `account required pam_time.so` to every file in the `/etc/pam.d` directory that relates to the methods that your daughter uses to log in or use the server. — Warwick, Aug 18 '14 at 05:09
I would suggest adding the line `account required pam_time.so` as the first `account` line in `/etc/pam.d/login` and `/etc/pam.d/gdm`. There may be other files in `/etc/pam.d` that also need it. It may be a case of trial and error to find which ones. — Warwick, Aug 18 '14 at 22:58
If you still can't get this working, an alternative approach would be to have a `root cron` entry to either run a script, or run commands at 9 pm that kill the user's session(s), and lock the password using `passwd -l `. A separate `cron` entry at 6 am would run the command `passwd -u `. That should achieve what you want, although getting `time.conf` to work would obviously be more ideal. — Warwick, Aug 19 '14 at 01:00
Of course, that does depend on the computer being on at both 9 pm and 6 am. If it isn't, then the `cron` jobs won't be run. — Warwick, Aug 19 '14 at 01:02
The above didn't work. Unfortunately, it's a laptop and we tend to shut it down at night so the Cron job wouldn't be able to run to either disable or enable the account. I'm about to try the Kidtimer that @Christopher messaged about yesterday. — user81117, Aug 21 '14 at 21:16

Ingmar · Answer 1 · 2019-03-20T19:20:26.280

2

1. Edit /etc/pam.d/common-auth and add the following line: account required pam_time.so

2. Edit /etc/security/time.conf and add the restriction: *;*;username;Al0800-2200

The example does allow login with pam-aware software all days between 8am and 10pm daily.

edited Mar 20 '19 at 19:20

answered Mar 20 '19 at 08:25

Ingmar

21
3

score 1 · Answer 2 · answered Aug 21 '14 at 07:54

1

Is it just here that you do, or are you using ones instead of Ls?

The time restrictions should read "capital A, small L" and then the time...

answered Aug 21 '14 at 07:54

Jan

7,600
2
34
41

Hi Nigge. I've tried it both ways as I've seen documentation showing both the Al and the A1. Neither method works. I'm having a bear of a time trying to figure out why. – user81117 Aug 21 '14 at 21:17
Sorry to hear it wasn't the cause of your issue. Another thing to check, just to make sure: Does your system perhaps use another DM? Look into /etc/X11/default-display-manager... – Jan Aug 22 '14 at 07:40
The system is using Light DM. I think that when I installed GDM I set it up for Light DM. – user81117 Aug 22 '14 at 16:56

score 1 · Answer 3 · edited Sep 03 '14 at 22:10

Following works for me:

*;*;child1|child2|child3;Wk0445-1958|Sa0445-2300|Su0445-1958

The following line in /etc/pam.d/common-account may be something I added or uncommented.

account required  pam_time.so

I also have a cron-job that checks at 8:00 PM if one of the children is logged in, and logs them off if so... the part that actually logs them off is as follows:

echo 'logging off - Following children are still logged in...'
for n in $active_children ; do echo "  " $n ; done
festival --tts <<EOT
Is is bedtime. Good bye and good night.
EOT
for n in $active_children
do
    killall -HUP -u $n
done
sleep 15
for n in $active_children
do
    killall      -u $n
done
echo "[`date`] - done"

Ragansi · Answer 4 · 2015-02-06T18:47:30.410

1

A more generic method is to use cron to lock and unlock the account. This eliminates both the specific requirements of, and any variables related to the window manager. This is only intended to be applied to a standalone machine, not a desktop/laptop/tablet connected to a central authentication server.

0 21 * * * /usr/bin/passwd -l childsUserName 0 6 * * * /usr/bin/passwd -u childsUserName'

NOTE: You may have to adjust your path for the 'passwd' command. Determine the proper path with 'which'.

On my CentOS 6 box:

which passwd

/usr/bin/passwd

edited Feb 06 '15 at 18:47

answered Feb 04 '15 at 17:30

Ragansi

19
3

I don't think this would work. What if authentication is not performed against the local password database (`/etc/shadow`)? `passwd -l` might not even do anything in that case. What if the machine is shut off or a cron job fails to run for some other reason? Then the account could be in an unwanted state. – jayhendren Feb 04 '15 at 17:41
I'm not aware of any UNIX or Linux system that doesn't authenticate against the local password database, unless it's connected to a central authentication server. – Ragansi Feb 05 '15 at 03:02
My previous comment got cut off prematurely. Didn't realize hitting enter posted the comment. Anyway. If the machine gets turned off, then cron can definitely leave the system in an undesirable state. You can use cron to call a small script that checks the time, and then locks or unlocks accordingly. Run it every 5 minutes, or even @reboot in cron. – Ragansi Feb 05 '15 at 03:25
"unless it's connected to a central authentication server". That's exactly what I mean. – jayhendren Feb 05 '15 at 18:41
In that case, your central authentication server will (or should...) have the facilities to perform the aforementioned lock out functions. In that case, you wouldn't need (and should not need) to perform user account lockouts on the local machine, unless something is configured out of scope, with how central auth is intended to be used. – Ragansi Feb 06 '15 at 18:46

Restrict the times a user is allowed to log in

4 Answers4