How to enforce a policy that allows new ssh logins at perticular time of the day only. Outside these access windows no new ssh logins are to be permitted.
PAM Resource Description
Login times can be controlled using the Linux Plugin Authentication Method (PAM) pam_time.so module. The pam_time.so module enforces the login restrictions specified in the file /etc/security/time.conf. So the desired login windows must be defined in that file.
Using an example is the best way to explain the functioning of the pam_time.so module. We would like to limit user john remote login to the system to only between 13:00 and 14:00 any day. To do this, add the line below to the /etc/security/time.conf file:
# vi /etc/security/time.conf sshd;*;john;Al1300-1400
Fields are separated by a semicolon (;) character. The fields are:
- The service name to be controller, here sshd is used.
- The tty terminal which is being controlled. This field allows us to limit the restriction to a certain terminal, for example. The “*” wildcard means apply the restriction regardless of the terminal used for the login attempt.
- A list of the users to whom this limitation applies. Our example restriction applies only to the john user.
- A list of times to which the restriction applies. Each time range is an optional exclamation mark (!) to negate the time range, followed by one or more two-letter day names, followed by a time range using a 24-hour clock. The name Wk means any weekday; the name Wd means a week-end day; and Al means any day. Our example grants permission between 13:00 and 14:00, any day of the week.
Activate The Policy
Add a line to the /etc/pam.d/sshd service file which reads:
# vi /etc/pam.d/sshd account required pam_time.so
The line should be grouped with other account lines. The line order in PAM authentication files is important: items are applied in the order the lines appear in the file. Add the new line as the last account line. This ensures information about a time-based enforcement is not leaked to outsiders. In our example:
# vim /etc/pam.d/sshd #%PAM-1.0 ... # Additionally, check for any account-based restrictions using pam_time.so account required pam_nologin.so account include password-auth account required pam_time.so ...