• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

CentOS / RHEL : How to restrict SSH login by time of day

by admin

Question:

How to enforce a policy that allows new ssh logins at perticular time of the day only. Outside these access windows no new ssh logins are to be permitted.

Solution :

PAM Resource Description

Login times can be controlled using the Linux Plugin Authentication Method (PAM) pam_time.so module. The pam_time.so module enforces the login restrictions specified in the file /etc/security/time.conf. So the desired login windows must be defined in that file.

Example Policy
Using an example is the best way to explain the functioning of the pam_time.so module. We would like to limit user john remote login to the system to only between 13:00 and 14:00 any day. To do this, add the line below to the /etc/security/time.conf file:

# vi /etc/security/time.conf
sshd;*;john;Al1300-1400

Fields are separated by a semicolon (;) character. The fields are:

  1. The service name to be controller, here sshd is used.
  2. The tty terminal which is being controlled. This field allows us to limit the restriction to a certain terminal, for example. The “*” wildcard means apply the restriction regardless of the terminal used for the login attempt.
  3. A list of the users to whom this limitation applies. Our example restriction applies only to the john user.
  4. A list of times to which the restriction applies. Each time range is an optional exclamation mark (!) to negate the time range, followed by one or more two-letter day names, followed by a time range using a 24-hour clock. The name Wk means any weekday; the name Wd means a week-end day; and Al means any day. Our example grants permission between 13:00 and 14:00, any day of the week.

Activate The Policy
Add a line to the /etc/pam.d/sshd service file which reads:

# vi /etc/pam.d/sshd
account required pam_time.so

The line should be grouped with other account lines. The line order in PAM authentication files is important: items are applied in the order the lines appear in the file. Add the new line as the last account line. This ensures information about a time-based enforcement is not leaked to outsiders. In our example:

# vim /etc/pam.d/sshd
#%PAM-1.0
...
# Additionally, check for any account-based restrictions using pam_time.so
account required pam_nologin.so
account include password-auth
account required pam_time.so
...
Use extreme caution when making changes to the PAM configuration files. A wrong edit, or a typo, can open the system completely to any user, or can lock every user (including root) out of the system.

Filed Under: Linux

Some more articles you might also be interested in …

  1. kill Command Examples in Linux
  2. firewall-cmd: command not found
  3. a2dismod: command not found
  4. CentOS / RHEL 7 : systemctl replacements of legacy commands service and chkconfig
  5. How to Create and Query a BTRFS File System
  6. Understanding The /etc/sysconfig Directory
  7. pivpn Command Examples in Linux
  8. How to map /dev/sdX and /dev/mapper/mpathY device from the /dev/dm-Z device
  9. fstrim Command Examples in Linux
  10. How to configure CentOS/RHEL 6 system to not used last 3 passwords used

You May Also Like

Primary Sidebar

Recent Posts

  • pw-cat Command Examples in Linux
  • pvs: command not found
  • pulseaudio: command not found
  • pulseaudio Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright