Allow ssh access only at certain times
Hi, I allow ssh access to a number of accounts on one of my servers from a list of IP addresses, but I don't really want people to be using this service outside normal working hours.. I'm restricting access to these accounts thus: In /etc/pam.d/sshd, add: account required pam_time.so In /etc/security/time.conf, add: sshd;*;user;Wd0900-1700 All well and good, BUT... I can't log in! (And yes, it _is_ a weekday between 9am and 5pm....) Given that the only system change is the addition of that line, and that in /var/log/messages I see: Jan 27 12:07:13 carbon pam_time[4642]: garbled syntax; expected name (rule #1) Jan 27 12:07:13 carbon sshd[4642]: PAM rejected by account configuration[6]: Permission denied I'm using SLES 8, and my pam package is version 0.76-109 Does the positioning of the line in pam.d/sshd matter that much? It's currently the last "account" line, but it was the first "account" line. (And no, Mr PromotionFactory, I don't want to be on your list) Tom. --------------- Tom Knight System Administration Officer Arts & Humanities Data Service Web: http://www.ahds.ac.uk Email: tom.knight@ahds.ac.uk Tel: (0)20 7928 7371
In /etc/security/time.conf, add: sshd;*;user;Wd0900-1700
I think you have to change "sshd" to "login &sshd" according to this http://www.informit.com/isapi/product_id~%7BCCB14385-F234-4C09-AEE1-AE3B50C1 70F8%7D/element_id~%7B1317B826-B578-4564-B475-D91A20493911%7D/st~%7B20492063 -6F3F-4FB5-A2CE-DC4AF32E0E8C%7D/content/articlex.asp found while doing that http://www.google.com/search?hl=de&ie=UTF-8&oe=utf-8&q=pam_time+time.conf&bt nG=Google+Suche as fifth link Hope that helps Michael
/ 2004-01-27 12:53:29 -0000 \ Tom Knight:
Hi,
I allow ssh access to a number of accounts on one of my servers from a list of IP addresses, but I don't really want people to be using this service outside normal working hours..
I'm restricting access to these accounts thus:
In /etc/pam.d/sshd, add: account required pam_time.so
In /etc/security/time.conf, add: sshd;*;user;Wd0900-1700
All well and good, BUT... I can't log in! (And yes, it _is_ a weekday between 9am and 5pm....)
and that might be your error: I think Wd is WeekenD, Wk is WeeKday ;) Lars Ellenberg
In /etc/security/time.conf, add: sshd;*;user;Wd0900-1700
All well and good, BUT... I can't log in! (And yes, it _is_ a weekday between 9am and 5pm....)
and that might be your error: I think Wd is WeekenD, Wk is WeeKday
DOH! I've now changed it to plain 0900-1700, and I'm still having no fun. Thank you for pointing that out though, because it would have caused a problem soon enough anyway ;-) Tom.
-----Original Message----- From: Tom Knight [mailto:thomas.knight@ahds.ac.uk] Sent: 27 January 2004 14:49 To: suse-security@suse.com Subject: RE: [suse-security] Allow ssh access only at certain times
In /etc/security/time.conf, add: sshd;*;user;Wd0900-1700
All well and good, BUT... I can't log in! (And yes, it _is_ a weekday between 9am and 5pm....)
and that might be your error: I think Wd is WeekenD, Wk is WeeKday
DOH!
I've now changed it to plain 0900-1700, and I'm still having no fun.
...and that's because I'm thick. I should have used !1700-0900 to say "not between 5pm amd 9am the next day" Thanks for your help, Tom.
participants (4)
-
GentooRulez -
Lars Ellenberg -
Tom Knight -
Tom Knight