Question:
How to enforce a policy that allows new ssh logins at perticular time of the day only. Outside these access windows no new ssh logins are to be permitted.
Solution :
PAM Resource Description
Login times can be controlled using the Linux Plugin Authentication Method (PAM) pam_time.so module. The pam_time.so module enforces the login restrictions specified in the file /etc/security/time.conf. So the desired login windows must be defined in that file.
Example Policy
Using an example is the best way to explain the functioning of the pam_time.so module. We would like to limit user john remote login to the system to only between 13:00 and 14:00 any day. To do this, add the line below to the /etc/security/time.conf file:
# vi /etc/security/time.conf sshd;*;john;Al1300-1400
Fields are separated by a semicolon (;) character. The fields are:
- The service name to be controller, here sshd is used.
- The tty terminal which is being controlled. This field allows us to limit the restriction to a certain terminal, for example. The “*” wildcard means apply the restriction regardless of the terminal used for the login attempt.
- A list of the users to whom this limitation applies. Our example restriction applies only to the john user.
- A list of times to which the restriction applies. Each time range is an optional exclamation mark (!) to negate the time range, followed by one or more two-letter day names, followed by a time range using a 24-hour clock. The name Wk means any weekday; the name Wd means a week-end day; and Al means any day. Our example grants permission between 13:00 and 14:00, any day of the week.
Activate The Policy
Add a line to the /etc/pam.d/sshd service file which reads:
# vi /etc/pam.d/sshd account required pam_time.so
The line should be grouped with other account lines. The line order in PAM authentication files is important: items are applied in the order the lines appear in the file. Add the new line as the last account line. This ensures information about a time-based enforcement is not leaked to outsiders. In our example:
# vim /etc/pam.d/sshd #%PAM-1.0 ... # Additionally, check for any account-based restrictions using pam_time.so account required pam_nologin.so account include password-auth account required pam_time.so ...