How to configure user restriction with pam? a kind of parental control

Hello.

I have tried this (with time.conf and pam.d/gdm-password) which is also described here and here.

What I did on the children’s computer was

sudo vi /etc/security/time.conf

And added a line

*;*;fury|flipper;Tu0700-2100|Th0700-2100

to that file, which should allow access (login) only on Tuesdays and Thursdays between 7:00 and 21:00.

For that I also edited the files login, gdm-password and sshd in the directory /etc/pam.d/. I added a line

account    required     pam_time.so

But I still can login now, although it is not Thursday and it is not between 7 and 21 hours.

What am I doing wrong?

My system:

cat /etc/fedora-release 
Fedora release 39 (Thirty Nine)
2 Likes

Is there anything logged?

Also, it might be nice for authselect to have a “time” feature. Maybe a good upstream feature request? That’d save the somewhat-fragile editing of pam config files.

I have no idea where to look for logs according to this. Can you give me a hint?

Does it work on your system? Does it work on fedora at all?


Update: I have found some logs.

I tried journalctl -u systemd-logind and got

ago 03 21:42:27 eris systemd-logind[964]: New session 32 of user flipper.

Later I tried journalctl -S today | grep flipper and got this when I logged in via ssh with user flipper:

ago 03 21:42:27 eris audit[54060]: USER_AUTH pid=54060 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey_auth grantors=auth-key acct="flipper" exe="/usr/sbin/sshd" hostname=? addr=192.168.1.168 terminal=? res=success'
ago 03 21:42:27 eris audit[54060]: USER_ACCT pid=54060 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="flipper" exe="/usr/sbin/sshd" hostname=192.168.1.168 addr=192.168.1.168 terminal=ssh res=success'
ago 03 21:42:27 eris sshd[54060]: Accepted publickey for flipper from 192.168.1.168 port 49058 ssh2: ED25519 SHA256:MVganFW9LI6MNCT3RDXezi2eMgLVnZi1x/wwq0Egylc
ago 03 21:42:27 eris audit[54060]: CRED_ACQ pid=54060 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="flipper" exe="/usr/sbin/sshd" hostname=192.168.1.168 addr=192.168.1.168 terminal=ssh res=success'
ago 03 21:42:27 eris systemd-logind[964]: New session 32 of user flipper.
ago 03 21:42:27 eris audit[54083]: USER_ACCT pid=54083 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:accounting grantors=pam_unix acct="flipper" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
ago 03 21:42:27 eris audit[54083]: CRED_ACQ pid=54083 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:setcred grantors=? acct="flipper" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
ago 03 21:42:27 eris (systemd)[54083]: pam_unix(systemd-user:session): session opened for user flipper(uid=1003) by flipper(uid=0)
ago 03 21:42:27 eris audit[54083]: USER_START pid=54083 uid=0 auid=1003 ses=33 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_namespace,pam_systemd_home,pam_umask,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="flipper" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
ago 03 21:42:27 eris systemd[1]: Started session-32.scope - Session 32 of User flipper.
ago 03 21:42:27 eris sshd[54060]: pam_unix(sshd:session): session opened for user flipper(uid=1003) by flipper(uid=0)
ago 03 21:42:27 eris audit[54060]: USER_START pid=54060 uid=0 auid=1003 ses=32 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_lastlog acct="flipper" exe="/usr/sbin/sshd" hostname=192.168.1.168 addr=192.168.1.168 terminal=ssh res=success'
ago 03 21:42:27 eris audit[54111]: CRED_ACQ pid=54111 uid=0 auid=1003 ses=32 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="flipper" exe="/usr/sbin/sshd" hostname=192.168.1.168 addr=192.168.1.168 terminal=ssh res=success'

I think that you should pay attention to put account required pam_time.so before any account sufficient lines

sufficient
success of such a module is enough to satisfy the authentication requirements of the stack of modules (if a prior required module has failed the success of this one is ignored). A failure of this module is not deemed as fatal to satisfying the application that this type has succeeded. If the module succeeds the PAM framework returns success to the application immediately without trying any other modules.

In addition, since gdm-password and sshd both contain account include password-auth, it is more convenient to add account required pam_time.so just in /etc/pam.d/password-auth and since many other modules (like login) contains account include system-auth, just add that line in /etc/pam.d/system-auth

2 Likes

Thank you for your ideas @alciregi

I restored the modified files. Then I did

authselect opt-out

and then modified password-auth and system-auth. They look now like this (relevant part):

password-auth

account     required                                     pam_unix.so
account    required     pam_time.so
account     sufficient                                   pam_localuser.so

system-auth

account     required                                     pam_unix.so 
account    required     pam_time.so 
account     sufficient                                   pam_localuser.so

I simplified the only uncommented line in time.conf to

*;*;flipper;Tu

I restarted sshd with sudo systemctl restart sshd.service.

I can still login with ssh as user flipper. :frowning:

Are you able to make it work on your system like this?

1 Like

With your exact configuration I’m able to ssh as well, but in the logs (journalctl --no-hostname -xf -u sshd) it looks like time.conf is wrong

Aug 04 07:28:29 sshd[76772]: pam_time(sshd:account): no/bad times specified (rule #1)

So. The syntax in /etc/security/time.conf should contain also the time range (as in your original post)

*;*;testuser;Tu0700-21000

Then ssh doesn’t work and in the logs I get

Aug 04 07:30:13 sshd[77322]: fatal: Access denied for user testuser by PAM account configuration [preauth]

As counter-proof, supposing that today is Sunday 7.30 a.m. circa, if in /etc/security/time.conf I put

*;*;testuser;Su0700-2100

ssh aptly works.
If I use

*;*;testuser;Su0800-2100

ssh doesn’t work anymore.

Aug 04 07:38:38 sshd[79719]: fatal: Access denied for user testuser by PAM account configuration [preauth]
2 Likes

It works!!! Yippi. Great. Thank you very much.

1 Like