EXTEND PAM'S RESTRICTIONS

Pluggable Authentication Modules (PAM) are the meat and potatoes of recent Linux security. PAM handles everything from local and remote logins to other forms of authentication. In its most basic instance, when a login username and password are presented to the system, PAM checks to see if the login and password are both valid. If so, it will permit the login.

PAM can do a lot more than this, however. You can use it to restrict logins to everyone on the system except root, keep root out and others in (preventing unauthorized users from gaining root access), and restrict logins to certain times of the day.

The pam_time.so module, usually located in /lib/security/, is a module that restricts based on time. If the Linux distribution you use utilizes system-auth for logins (most recent distributions do), modify your /etc/pam.d/system-auth file and include:

account required /lib/security/pam_time.so

Next, create the configuration file, /etc/security/time.conf. The following syntax is used:

services;ttys;users;times

For instance:

login;tty*;*!joe;A2100-0800

This example tells the system to disallow all logins on any console (physical or pseudo) between the hours of 9:00 P.M. and 8:00 A.M. every day to all users except the user joe.

For more information, see the README files that come with PAM. There's a README file that offers instructions and provides examples for every PAM module.