|
Packit |
7e982e |
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
<refentry id="time.conf">
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
<refmeta>
|
|
Packit |
7e982e |
<refentrytitle>time.conf</refentrytitle>
|
|
Packit |
7e982e |
<manvolnum>5</manvolnum>
|
|
Packit |
7e982e |
<refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
|
|
Packit |
7e982e |
</refmeta>
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
<refnamediv>
|
|
Packit |
7e982e |
<refname>time.conf</refname>
|
|
Packit |
7e982e |
<refpurpose>configuration file for the pam_time module</refpurpose>
|
|
Packit |
7e982e |
</refnamediv>
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
<refsect1 id='time.conf-description'>
|
|
Packit |
7e982e |
<title>DESCRIPTION</title>
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
The pam_time PAM module does not authenticate the user, but instead
|
|
Packit |
7e982e |
it restricts access to a system and or specific applications at
|
|
Packit |
7e982e |
various times of the day and on specific days or over various
|
|
Packit |
7e982e |
terminal lines. This module can be configured to deny access to
|
|
Packit |
7e982e |
(individual) users based on their name, the time of day, the day of
|
|
Packit |
7e982e |
week, the service they are applying for and their terminal from which
|
|
Packit |
7e982e |
they are making their request.
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
For this module to function correctly there must be a correctly
|
|
Packit |
7e982e |
formatted <filename>/etc/security/time.conf</filename> file present.
|
|
Packit |
7e982e |
White spaces are ignored and lines maybe extended with '\' (escaped
|
|
Packit |
7e982e |
newlines). Text following a '#' is ignored to the end of the line.
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
The syntax of the lines is as follows:
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
<replaceable>services</replaceable>;<replaceable>ttys</replaceable>;<replaceable>users</replaceable>;<replaceable>times</replaceable>
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
In words, each rule occupies a line, terminated with a newline
|
|
Packit |
7e982e |
or the beginning of a comment; a '<emphasis remap='B'>#</emphasis>'.
|
|
Packit |
7e982e |
It contains four fields separated with semicolons,
|
|
Packit |
7e982e |
'<emphasis remap='B'>;</emphasis>'.
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
The first field, the <replaceable>services</replaceable> field,
|
|
Packit |
7e982e |
is a logic list of PAM service names that the rule applies to.
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
The second field, the <replaceable>tty</replaceable>
|
|
Packit |
7e982e |
field, is a logic list of terminal names that this rule applies to.
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
The third field, the <replaceable>users</replaceable>
|
|
Packit |
7e982e |
field, is a logic list of users or a netgroup of users to whom this
|
|
Packit |
7e982e |
rule applies.
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
For these items the simple wildcard '*' may be used only once.
|
|
Packit |
7e982e |
With netgroups no wildcards or logic operators are allowed.
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
The <replaceable>times</replaceable> field is used to indicate the times
|
|
Packit |
7e982e |
at which this rule applies. The format here is a logic
|
|
Packit |
7e982e |
list of day/time-range entries. The days are specified by a sequence of
|
|
Packit |
7e982e |
two character entries, MoTuSa for example is Monday Tuesday and Saturday.
|
|
Packit |
7e982e |
Note that repeated days are unset MoMo = no day, and MoWk = all weekdays
|
|
Packit |
7e982e |
bar Monday. The two character combinations accepted are Mo Tu We Th Fr Sa
|
|
Packit |
7e982e |
Su Wk Wd Al, the last two being week-end days and all 7 days of the week
|
|
Packit |
7e982e |
respectively. As a final example, AlFr means all days except Friday.
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
Each day/time-range can be prefixed with a '!' to indicate
|
|
Packit |
7e982e |
"anything but".
|
|
Packit |
7e982e |
The time-range part is two 24-hour times HHMM, separated by a hyphen,
|
|
Packit |
7e982e |
indicating the start and finish time (if the finish time is smaller
|
|
Packit |
7e982e |
than the start time it is deemed to apply on the following day).
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
For a rule to be active, ALL of service+ttys+users must be satisfied
|
|
Packit |
7e982e |
by the applying process.
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
Note, currently there is no daemon enforcing the end of a session.
|
|
Packit |
7e982e |
This needs to be remedied.
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
Poorly formatted rules are logged as errors using
|
|
Packit |
7e982e |
<citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
</refsect1>
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
<refsect1 id="time.conf-examples">
|
|
Packit |
7e982e |
<title>EXAMPLES</title>
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
These are some example lines which might be specified in
|
|
Packit |
7e982e |
<filename>/etc/security/time.conf</filename>.
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
All users except for <emphasis>root</emphasis> are denied access
|
|
Packit |
7e982e |
to console-login at all times:
|
|
Packit |
7e982e |
<programlisting>
|
|
Packit |
7e982e |
login ; tty* & !ttyp* ; !root ; !Al0000-2400
|
|
Packit |
7e982e |
</programlisting>
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
Games (configured to use PAM) are only to be accessed out of
|
|
Packit |
7e982e |
working hours. This rule does not apply to the user
|
|
Packit |
7e982e |
<emphasis>waster</emphasis>:
|
|
Packit |
7e982e |
<programlisting>
|
|
Packit |
7e982e |
games ; * ; !waster ; Wd0000-2400 | Wk1800-0800
|
|
Packit |
7e982e |
</programlisting>
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
</refsect1>
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
<refsect1 id="time.conf-see_also">
|
|
Packit |
7e982e |
<title>SEE ALSO</title>
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
<citerefentry><refentrytitle>pam_time</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
|
Packit |
7e982e |
<citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
Packit |
7e982e |
<citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
</refsect1>
|
|
Packit |
7e982e |
|
|
Packit |
7e982e |
<refsect1 id="time.conf-author">
|
|
Packit |
7e982e |
<title>AUTHOR</title>
|
|
Packit |
7e982e |
<para>
|
|
Packit |
7e982e |
pam_time was written by Andrew G. Morgan <morgan@kernel.org>.
|
|
Packit |
7e982e |
</para>
|
|
Packit |
7e982e |
</refsect1>
|
|
Packit |
7e982e |
</refentry>
|