Control Ssh Login by Time
Sometimes, we want to control the time-frame that a user can login to a machine with ssh. In these cases, we need to configure Sshd to Allow Login by Time Schedule.
In our example today, we want to create a user name mary that can login only Monday through Friday from 8am-5pm. To begin, let’s create the user and set the password:
Configure PAM (Pluggable Authentication Modules)
Now that our user is created, we need to configure the time restraints for the user. To do this, we need to edit the pam.d (Pluggable Authentication Modules for Linux) file that controls sshd. More information on CentOS PAM can be found using this link: https://www.centos.org/docs/2/rhl-rg-en-7.2/s1-pam-config-files.html In the case of Redhat / Fedora / CentOS, we edit the /etc/pam.d/sshd file. We need to add the following line to the file:
|account required pam_time.so
as shown in this example of a complete /etc/pam.d/sshd file:
account required pam_time.so # <– This Line Here
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
Configure time.conf File
After we edit the /etc/pam.d/sshd file, we need to edit and configure the /etc/security/time.conf file to configure when the specific times that our “mary” user can login. In our example, we will add the following line at the bottom of the /etc/security/time.conf file:
If we break down the line above, the first field is the PAM service field to which this rule will apply. The second field is the tty field and specifies which terminals it will apply to. The third field is a list of users or groups that the rule will apply to. The final field is the time field that specifies the times and days that the rule will work on.
In our case, this line tells PAM to only allow the mary user to login with sshd on Week days between 8am and 5pm. The table below lists all of the available day options that we can use:
|All 7 Days of the Week
We should be done. We just need to test the logins during the times we expect to be able to login and the times that we expect to not be able to login to see if our experience meets expectations.
However, we may want to modify things at some point in the future for our user. Let’s imagine that we want the user to be able to login at all times except 8am-5pm. In this case, we would use the exclamation point “!” to say “not”. For example:
Now, the “mary” user can login at any times except for week days between 8am and 5pm.
Specifying Multiple Days
When we specify multiple days or day groups, if the days do not overlap then it means all times. For example:
The line above states that the “mary” user can login on Monday, Wednesdays, and Fridays between 10am and 2pm.
However, specifying day options that overlap means all except the overlapping time. For example:
The line above states that the “mary” user can login on all days except for Wednesdays between 9am and 6pm.
Finally, let’s imagine that
This line tells us that mary and john can login on Saturdays and Sundays between 8am and 8pm.
Forcing Logout of Users
Assuming that we have configured the “mary” user as per our first example above where the user can login between 8am and 5pm on weekdays, we now need to consider the possibility that the “mary” user logged in during the permitted time-frame, but did not logout. We don’t want to have the user logged in anymore so we need to force the logout. To do this, we need to use our root crontab file to kill any logins that may be logged in when 5pm comes around each weekday:
|0 17 * * 1-5 /usr/bin/pkill -KILL -u mary
We should be good!