Documentation by: Joerg Moellenkamp
Let's assume you want to limit ssh login for user junior to a certain timespan, let's say weekdays between 13:10 and 17:00. With Solaris 11.2 it's really easy to limit access to certain services based on times.
To enforce this, you can set access_time for certain PAM services for the use junior like this. The limitation is done by the pam_unix_account.so module and the man page states :
Validate that the user is permitted to access the PAM service at the current time and day of the week.
You will see pam_unix_account doing its job later on.
I will simply limit all PAM services that are used by ssh. Log into your server as root:
# usermod -K access_times='{sshd-none,sshd-password,sshd-kbdint,sshd-pubkey,sshd-hostbased}:Wk1310-1700' junior
Let's try to log in before 13:10.
desktop:~ joergmoellenkamp$ date
Mi 28 Mai 2014 13:08:55 CEST
desktop:~ joergmoellenkamp$ ssh junior@192.168.1.16
Hi, i am default
Password:
Warning: 1 failed authentication attempt at Wed May 28 13:07 2014 since last successful authentication.
pam_unix_account: User junior may not use the sshd-kbdint service at this time.
Password:
pam_unix_account: User junior may not use the sshd-kbdint service at this time.
Password:
pam_unix_account: User junior may not use the sshd-kbdint service at this time.
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).
desktop:~ joergmoellenkamp$
Access is denied. Now get some coffee, talk with your colleagues and get back to the shell after 13:10, let's say at 13:12.
desktop:~ joergmoellenkamp$ date
Mi 28 Mai 2014 13:12:07 CEST
desktop:~ joergmoellenkamp$ ssh junior@192.168.1.16
Hi, i am default
Password:
Last login: Wed May 28 11:49:04 2014 from desktop
Oracle Corporation SunOS 5.11 11.2 April 2014
junior@master:~$
Voila, now you can log into your services.
No comments:
Post a Comment