Using to control when people can log into your servers

Most admins have to support system logins in one form or another. These logins include everything from application service accounts, operations accounts, SysAdmin accounts and pretty much everything else you can think of. Some of these accounts may not need to access your servers 247, and you may want to limit the timeframes when users or groups of users can login. This is super easy to do on Linux systems with the pam_time module.

Pam_time is pretty simple. To configure it to allow logins during a specified time period, you can edit /etc/security/time.conf and add entries to limit access. Entries in this file take the following format:


The pam service name contains the name of the pam service to disallow access to, the ttys field controls the devices to limit access to, the user list contains the users to deny access to, and the time field controls allows you to list the times when a user can login. Here is an sample entry:


In the example above, the users haroldp and kumarj would only be able to login via ssh between the hours of 9am and 5pm. To enforce the limits in the time.conf configuration file, you will need to add the module to the account section in your pam configuration. For a CentOS server, you can append the pam_time entry to the top of the account section in /etc/pam.d/system-auth:

account required **<--- New entry**
account required
account sufficient uid < 500 quiet
account required

If a user tries to login outside of the hours listed in the fourht field above, they will be denied access. One important note regarding the time field. This field contains the times you WANT to grant access. To deny access during a time range you will need to append a bang (!) to the time. This module gives a whole new flare to the phrase “ACCESS DENIED!“. :)

This article was posted by Matty on 2010-08-30 16:12:00 -0400 EDT