I have a solution for anyone needing to control when a user can login to Linux machine based on time and day of the week. In this excercise I’ll illustrate how this can be done using PAM (Pluggable Authentication Modules). I’ll also take my solution one step further and explain how to automatically log the user off at a predetermined time.
This idea came to me when I was looking for a solution to limit the time my teenage kids spend on their Linux desktop computers in their rooms. In my example I will be using Fedora Core 6 as the desktop OS, but any PAM’able Linux distro should work.
Basic Restriction Example
The user we will use in this excercise is “jordan”.
As root edit /etc/security/time.conf and add
login|gdm;*;jordan;Al0800-1800
to the end of the file.
This line specifies that the console login and the graphical login are the affected services for the user named jordan on any tty on every day of the week from 8am until 6pm. There are other options for days of the week including excluding certain days while allowing others. You can read up on those option by reading the man time.conf manpage.
Next edit the /etc/pam.d/gdm file and add
account required pam_time.so
just below the auth entries.
Now edit /etc/pam.d/login file and add
account required pam_time.so
just below the auth entries there as well.
Thats it! Now the user “jordan” will only be able to login between 8AM and 6PM 7 days a week.
Forced Logoff
If user jordan is logged in when 6PM comes around nothing will happen until she logs out. After she logs out she will not be permitted to log back in as per our PAM entries.
To setup a simple automatic logout procedure I will use a basic cron entry to force the logoff at a predetermined time. I will give a 15 minute “grace” period past the 6PM restriction.
As root I’ll enter crontab -e and edit the file to contain this line:
15 18 * * * /usr/bin/skill -KILL -u jordan
Now every day at 6:15PM the user “jordan” will be logged off forcefully without warning.
Make sure to restart the cron dameon with service crond restart after each cron change.
Advanced Example
Lets make our time restrictions a little more realistic for my teenager and and give a popup warning dialog box that computer time is over 15 minutes prior to a forced logoff event.
As root edit /etc/security/time.conf and change the entry as such:
login|gdm;*;jordan;Wk1630-2000 | Wd0800-2230&!1200-1500
This means user “jordan” can login weekdays 4:30PM to 8PM and on weekends from 8AM till 10:30PM except between the hours of Noon and 3PM.
To make the forced logoff events happen as planned we need to put the commands for the logoffs into root’s crontab. As root issue crontab -e and place the following entries in root’s crontab replacing the earlier example we used.
15 12 * * 6-7 /usr/bin/skill -KILL -u jordan
45 22 * * 6-7 /usr/bin/skill -KILL -u jordan
15 20 * * 1-5 /usr/bin/skill -KILL -u jordan
The first line is a forced logoff event for jordan at 12:15PM on Saturdays and Sundays.
The second line is a forced logoff event for jordan at 10:45PM on Saturdays and Sundays.
The third line is a forced logoff event for jordan at 8:15PM Monday through Friday.
Now to give a warning dialog popup 15 minutes before forced logoff happens create a file as root nano /etc/jordan_zanity and place in it the warning text you desire. Save and close the file.
Next we’ll enter a couple more cron jobs to have to popups execute 15 minutes prior to a forced logoff. As root enter crontab -u jordan -e and edit the users crontab entry. It has to be the users crontab that will be receiving the popups.
We will need to add three lines to “jordans” crontab (each entry is one long line):
45 11 * * 6-7 /usr/bin/zenity –text-info –title=’Times Up’ –width=474 –height=400 –display=:0 –filename=/etc/jordan_zanity &
15 22 * * 6-7 /usr/bin/zenity –text-info –title=’Times Up’ –width=474 –height=400 –display=:0 –filename=/etc/jordan_zanity &
45 19 * * 1-5 /usr/bin/zenity –text-info –title=’Times Up’ –width=474 –height=400 –display=:0 –filename=/etc/jordan_zanity &
The first entry pops up the warning on Saturdays and Sundays at 11:45 AM, 15 minutes before the Noon forced logoff event that will take place at 12:15PM.
The second entry pops up the warning on Saturdays and Sundays at 10:15PM, 15 minutes before the 10:30PM forced logoff event that will occur at 22:45PM.
The last entry pops up the warning Monday through Friday at 7:45PM, 15 minutes before the 8PM forced logoff event that will occur at 8:15PM.
Make sure to restart the cron dameon with service crond restart after each cron change.
Conclusion
This method of restricting and controlling time spent on a Linux desktop machine running Fedora Core 6 seems to work well for my home lan. Even though the process to set this up is a bit time consuming it is well worth the piece of mind knowing that my teenagers are not online behind the closed door of their bedroom at 3AM.
I truely hope this helps other parents restrict and manage how much time their children spend on their Linux computers. I am very interested in hearing back from anyone who implements this solution.
Enjoy!
Scott
Hi Scott. Do you also run a webfilter setup of any kind? I set up squid, squidguard, dansguardian, and iptables in order to have a more-or-less complete solution, with per-user transparent proxy (no browser settings to allow you to bypass the proxy). I had to set up postfix so that I would get e-mails if repeated blocked browsing attempts exceeded a threshold. Little bit of effort, but it really gives me that peace of mind. I haven’t implemented a login control like in your article, but I think that will be next, as a just-in-case. I did set the proxy to deny access between certain hours of the day and give a custom message, however. If you are also using a filtering solution, I would be very interested to read about it. Your article was quite informative!
Thanks!
Comment by symbolik — January 14, 2007 @ 5:21 am
I do not use a proxy with my kids at home. I have setup a squid proxy in the past, but a proxy does not fit into my home lan needs at the moment.
I do use IPTABLES though.
Comment by Scott Kindley — January 14, 2007 @ 1:26 pm
Fantastic! I knew there had to be a better way than all the others I have seen, and this is it. I thought it’d be part of the restricted time/days access settings.
This works just as well and teaches me a bit about cron in the process. I didn’t know you could tell it to only do things on certain days of the week!
I’ve got a local copy saved in case this disappears.
Comment by cookieninja — November 26, 2007 @ 5:10 pm
Last year when I was forced to restrict my childen’s time spent at computer I could not find any ideas, so I went on with my approach. Instead of using PAM, as it would allow them to use computer only at certain times, I wrote a small script which relies on wtmp file and accounts total time they spend with PC. Password part us gly, but I never thought I will share this
sac package is needed.
#!/bin/bash
if [ $# -le 1 ] ; then
echo “Usage: username quota ( “$OVER” ]] ; then
if [[ `w $1 -s -h | wc -l` -gt 0 ]] ; then
killall -u $1
killall -s 9 -u $1
sed -i “/^$1/d” /etc/passwd
exit 0
fi
elif [ $VEL -le 10 ] ; then
su - $1 -c “DISPLAY=:0 zenity –warning –title “Brīdinājums” –text \”Paliku\šas $VEL minūtes\!\”"
else
EXISTS=`grep -c $1 /etc/passwd`
if [ $EXISTS -le 0 ] ; then
case $1 in
“fridrihs” )
sed -i “/^gdm/afridrihs:x:1002:1001:Fridrihs,,,:/home/fridrihs:/bin/bash” /etc/passwd
;;
“beta” )
sed -i “/^gdm/abeta:x:1001:1001:Beatrise,,,:/home/beta:/bin/bash” /etc/passwd
;;
esac
fi
fi
Comment by shpokas — November 28, 2007 @ 3:46 am
[...] Update: I found a method for getting the Parental Controls that I needed in Ubuntu. http://skindley.wordpress.com/2006/12/11/fedora-core-6-controlling-logins-by-time/ [...]
Pingback by Ubuntu Parental Controls | The Bristow's dot COM — June 10, 2008 @ 12:12 pm