Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to restrict login times on Fedora 17?

15 views
Skip to first unread message

Kevin the Drummer

unread,
Nov 7, 2012, 5:56:02 PM11/7/12
to
I had a fairly easy time getting Mandriva to restrict the login
times for my kids. I used PAM stuff, basically following this
guide:

http://blogs.techrepublic.com.com/security/?p=319

I've tried for hours to get something similar to work on Fedora
17. But, nothing works at all.

At one point I tried to automate the steps, before I found out
that this doesn't work on Fedora.

#!/bin/sh

echo "login ; * ; son|daughter ; !Al2000-0800" > text
echo "kde ; * ; son|daughter ; !Al2000-0800" >> text
echo "kdm ; * ; son|daughter ; !Al2000-0800" >> text
/bin/rm -f time.conf
cat /etc/security/time.conf text > time.conf
sudo chown root.root time.conf
sudo chmod 644 time.conf
sudo cp time.conf /etc/security/time.conf

echo "account required pam_time.so" > text
/bin/rm -f login
cat /etc/pam.d/login text > login
sudo chown root.root login
sudo chmod 644 login
sudo cp login /etc/pam.d/login

echo "account required pam_time.so" > text
/bin/rm -f kdm
cat /etc/pam.d/kdm text > kdm
sudo chown root.root kdm
sudo chmod 644 kdm
sudo cp kdm /etc/pam.d/kdm
sudo cp kdm /etc/pam.d/kdm_greet

echo "account required pam_time.so" > text
/bin/rm -f gdm-password
cat /etc/pam.d/gdm-password text > gdm-password
sudo chown root.root gdm-password
sudo chmod 644 gdm-password
sudo cp gdm-password /etc/pam.d/gdm-password

What am I doing wrong? I'm thinking that I might have the wrong
name entry into /etc/pam.d/<somefilename> I base that on my first
attempt to get my desired behavior out of Mandriva. The first
time I ended up restricting only console logins. When I found
out that I had to restrict kdm logins, then I got it to work.
After a lot of trial and error with filename options on Fedora
I'm still no further than I was before.

Does anyone have a cookbook for how to get this to work on Fedora 17?

Thanks....

--
Kevin

Chris Davies

unread,
Nov 8, 2012, 5:28:27 AM11/8/12
to
Kevin the Drummer <nob...@cosgroves.us> wrote:
> I've tried for hours to get something similar to work on Fedora
> 17. But, nothing works at all.

Looking at Debian, the relevant requirement appears to be adding "account
requisite pam_time.so" above any other "account" type entries (including
the @common-account reference).


> At one point I tried to automate the steps, before I found out
> that this doesn't work on Fedora.

> echo "login ; * ; son|daughter ; !Al2000-0800" > text
> echo "kde ; * ; son|daughter ; !Al2000-0800" >> text
> echo "kdm ; * ; son|daughter ; !Al2000-0800" >> text
> /bin/rm -f time.conf
> cat /etc/security/time.conf text > time.conf
> sudo chown root.root time.conf
> sudo chmod 644 time.conf
> sudo cp time.conf /etc/security/time.conf

I'd tend to make this more fail-safe, myself, since your code has some
horrible race conditions modifying the pam modules. I'd also run the
entire script under sudo. But that's me.

TIME_CONF=/etc/security.conf
if test ! -f "$TIME_CONF.ORIG"
then
echo "Fixing $TIME_CONF" >&2
cp -p "$TIME_CONF" "$TIME_CONF.ORIG"
(
echo "login ; * ; son|daughter ; !Al2000-0800"
echo "kde ; * ; son|daughter ; !Al2000-0800"
echo "kdm ; * ; son|daughter ; !Al2000-0800"
) >"$TIME_CONF"
fi

for PAM_MOD in gdm3 gdm3-autologin kdm kdm_greet login ssh su xscreensaver
do
PAM_FILE="/etc/pam.d/$PAM_MOD"
test -f "$PAM_FILE" || continue

if test ! -f "$PAM_FILE.ORIG"
then
echo "Fixing $PAM_FILE" >&2
cp -p "$PAM_FILE" "$PAM_FILE.ORIG"
(
# Ugh, takes no account of file formatting
echo "account requisite pam_time.so"
cat "$PAM_FILE.ORIG"
) >"$PAM_FILE"
fi
done


> Does anyone have a cookbook for how to get this to work on Fedora 17?

Email me your (original) pam configuration files from /etc/pam.d/ and
I'll see if I can send you some suggestions by return.

Chris

Balwinder S Dheeman

unread,
Nov 8, 2012, 7:42:09 AM11/8/12
to
On 11/08/2012 04:26 AM, Kevin the Drummer wrote:

[snip]
Editing system configuration files in above said manner is most absurd
style I ever have encountered till today; you'll loose all examples
provided by the developers and, or packagers :(

I'm not sure, but I think Fedora 17 user systemd these days, hence you
might want to check systemd documentation as well.

See also:
http://www.techrepublic.com/article/using-pam-to-restrict-access-based-on-time/1055269

--
Balwinder S "bdheeman" Dheeman
(http://werc.homelinux.net/contact/)

The Natural Philosopher

unread,
Nov 8, 2012, 7:59:18 AM11/8/12
to
On 08/11/12 12:42, Balwinder S Dheeman wrote:
you'll loose all examples
> provided by the developers and, or packagers :(
>

Bad idea loosing examples. Now you will have to round them up and put
them back in the man pages where they belong!

>


--
Ineptocracy

(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.

Kevin the Drummer

unread,
Nov 16, 2012, 2:11:08 PM11/16/12
to
Chris Davies <chris-...@roaima.co.uk> wrote:
> Email me your (original) pam configuration files from /etc/pam.d/ and
> I'll see if I can send you some suggestions by return.

Chris, I did send you email. Did you get it? I'm happy to post a
solution here, when I find one, to save others the headache I'm
experiencing.

Thanks....

--

--
Kevin

Chris Davies

unread,
Nov 18, 2012, 7:50:28 AM11/18/12
to
Kevin the Drummer <nob...@cosgroves.us> wrote:
> Chris, I did send you email. Did you get it? I'm happy to post a
> solution here, when I find one, to save others the headache I'm
> experiencing.

Yes. Sorry. I'll reply privately.
Chris
0 new messages