erk. On Mon, Mar 25, 2013 at 2:33 PM, Joel Rees <[email protected]> wrote: > On Mon, Mar 25, 2013 at 11:06 AM, Hugo Vanwoerkom <[email protected]> wrote: >> Joel Rees wrote: >>> >>> I know this is the wrong way to solve the underlying problems, but >>> sometimes brute force is required. >>> >>> I found this ancient post on using PAM and /etc/security/time.conf to >>> accomplish this kind of thing on techrepublic (Complete with typos: A1 >>> for Al? What bot edited that?): >>> >>> >>> http://www.techrepublic.com/article/using-pam-to-restrict-access-based-on-time/1055269 >>> >>> And I've been puzzling through the man pages (time.conf and so forth), >>> but don't seem to be able to get any effect at all. >>> >>> Here are some of the rules I've tried, one at a time: >>> >>> login; tty*; user1; !Al0000-2400 >>> >>> *;*;user1;Al1200-2300 >>> >>> *;*;user1;!Al2300-1200 >>> >>> I've looked around the man pages for a hint on some daemon that might >>> need to be restarted but haven't seen anything where I've looked so >>> far. >>> >>> I always miss something obvious when I start digging into something >>> like this, anyone care to tell me what I'm missing, before I go off >>> the deep end and start editing the login source code directly? (Seems >>> like it shouldn't be too hard to make login fail based on the time.) >>> >> >> Looks OK to me. > > I did not want to hear that. > >> Did you try those 2 examples in time.conf? > > The silly ones? > > Well, it's no longer the weekend here, and I have root login disabled, > so I'll have to monkey with my configuration to try the second one. > > And I have no idea what the "blank" service is, so I'd have to > substitute on the first one. I've been looking for a list of names of > services, don't see one. Are those determined by the name of the > executable? Or the process name as shown by ps or something? > > And the question that keeps me thinking, tty* are physical terminals, > right? Connected by serial port? > > ttyp* are the virtual consoles, such as you switch around when you hit > ctl-alt-Fn? The ones that allow you to login to an X11 session? > > I did try substituting login for blank, then swapping the inversion > from ttyp* to tty* . No effect on the ability of non-root users to > login: > > login; ttyp* & !ttyp*; !root; !Al0000-2400
login; tty* & !ttyp*; !root; !Al0000-2400 > and then > > login; !ttyp* & tty*; !root; !Al0000-2400 login; ttyp* & !tty*; !root; !Al0000-2400 >> Hugo > > Thanks for the hints.. Hmm. Shutting down access to non-root users from all consoles would be login; !tty* & !ttyp*; !root; !Al0000-2400 or even login; !*; !root; !Al0000-2400 Nope. Can't get any variation of logic with the tty* and ttyp* to restrict login, either. PAM is putting out log messages to the effect of successful logins, so PAM itself seems to be operational. -- Joel Rees -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/CAAr43iPYutn6KBmfNGBqEF66+1y1Hmj61tzCJuJGS=msdum...@mail.gmail.com
