I have a solution for anyone needing to control when a user can login to Linux machine based on time and day of the week. In this excercise I’ll illustrate how this can be done using PAM (Pluggable Authentication Modules). I’ll also take my solution one step further and explain how to automatically log the user off at a predetermined time.
This idea came to me when I was looking for a solution to limit the time my teenage kids spend on their Linux desktop computers in their rooms. In my example I will be using Fedora Core 6 as the desktop OS, but any PAM’able Linux distro should work.
Basic Restriction Example
The user we will use in this excercise is “jordan”.
As root edit /etc/security/time.conf and add
login|gdm;*;jordan;Al0800-1800
to the end of the file.
This line specifies that the console login and the graphical login are the affected services for the user named jordan on any tty on every day of the week from 8am until 6pm. There are other options for days of the week including excluding certain days while allowing others. You can read up on those option by reading the man time.conf manpage.
Next edit the /etc/pam.d/gdm file and add
account required pam_time.so
just below the auth entries.
Now edit /etc/pam.d/login file and add
account required pam_time.so
just below the auth entries there as well.
Thats it! Now the user “jordan” will only be able to login between 8AM and 6PM 7 days a week.
Forced Logoff
If user jordan is logged in when 6PM comes around nothing will happen until she logs out. After she logs out she will not be permitted to log back in as per our PAM entries.
To setup a simple automatic logout procedure I will use a basic cron entry to force the logoff at a predetermined time. I will give a 15 minute “grace” period past the 6PM restriction.
As root I’ll enter crontab -e and edit the file to contain this line:
15 18 * * * /usr/bin/skill -KILL -u jordan
Now every day at 6:15PM the user “jordan” will be logged off forcefully without warning.
Make sure to restart the cron dameon with service crond restart after each cron change.
Advanced Example
Lets make our time restrictions a little more realistic for my teenager and and give a popup warning dialog box that computer time is over 15 minutes prior to a forced logoff event.
As root edit /etc/security/time.conf and change the entry as such:
login|gdm;*;jordan;Wk1630-2000 | Wd0800-2230&!1200-1500
This means user “jordan” can login weekdays 4:30PM to 8PM and on weekends from 8AM till 10:30PM except between the hours of Noon and 3PM.
To make the forced logoff events happen as planned we need to put the commands for the logoffs into root’s crontab. As root issue crontab -e and place the following entries in root’s crontab replacing the earlier example we used.
15 12 * * 6-7 /usr/bin/skill -KILL -u jordan
45 22 * * 6-7 /usr/bin/skill -KILL -u jordan
15 20 * * 1-5 /usr/bin/skill -KILL -u jordan
The first line is a forced logoff event for jordan at 12:15PM on Saturdays and Sundays.
The second line is a forced logoff event for jordan at 10:45PM on Saturdays and Sundays.
The third line is a forced logoff event for jordan at 8:15PM Monday through Friday.
Now to give a warning dialog popup 15 minutes before forced logoff happens create a file as root nano /etc/jordan_zanity and place in it the warning text you desire. Save and close the file.
Next we’ll enter a couple more cron jobs to have to popups execute 15 minutes prior to a forced logoff. As root enter crontab -u jordan -e and edit the users crontab entry. It has to be the users crontab that will be receiving the popups.
We will need to add three lines to “jordans” crontab (each entry is one long line):
45 11 * * 6-7 /usr/bin/zenity –text-info –title=’Times Up’ –width=474 –height=400 –display=:0 –filename=/etc/jordan_zanity &
15 22 * * 6-7 /usr/bin/zenity –text-info –title=’Times Up’ –width=474 –height=400 –display=:0 –filename=/etc/jordan_zanity &
45 19 * * 1-5 /usr/bin/zenity –text-info –title=’Times Up’ –width=474 –height=400 –display=:0 –filename=/etc/jordan_zanity &
The first entry pops up the warning on Saturdays and Sundays at 11:45 AM, 15 minutes before the Noon forced logoff event that will take place at 12:15PM.
The second entry pops up the warning on Saturdays and Sundays at 10:15PM, 15 minutes before the 10:30PM forced logoff event that will occur at 22:45PM.
The last entry pops up the warning Monday through Friday at 7:45PM, 15 minutes before the 8PM forced logoff event that will occur at 8:15PM.
Make sure to restart the cron dameon with service crond restart after each cron change.
Conclusion
This method of restricting and controlling time spent on a Linux desktop machine running Fedora Core 6 seems to work well for my home lan. Even though the process to set this up is a bit time consuming it is well worth the piece of mind knowing that my teenagers are not online behind the closed door of their bedroom at 3AM.
I truely hope this helps other parents restrict and manage how much time their children spend on their Linux computers. I am very interested in hearing back from anyone who implements this solution.
Enjoy!
Scott
Gear 
Hi Scott. Do you also run a webfilter setup of any kind? I set up squid, squidguard, dansguardian, and iptables in order to have a more-or-less complete solution, with per-user transparent proxy (no browser settings to allow you to bypass the proxy). I had to set up postfix so that I would get e-mails if repeated blocked browsing attempts exceeded a threshold. Little bit of effort, but it really gives me that peace of mind. I haven’t implemented a login control like in your article, but I think that will be next, as a just-in-case. I did set the proxy to deny access between certain hours of the day and give a custom message, however. If you are also using a filtering solution, I would be very interested to read about it. Your article was quite informative!
Thanks!
LikeLike
I do not use a proxy with my kids at home. I have setup a squid proxy in the past, but a proxy does not fit into my home lan needs at the moment.
I do use IPTABLES though.
LikeLike
Fantastic! I knew there had to be a better way than all the others I have seen, and this is it. I thought it’d be part of the restricted time/days access settings.
This works just as well and teaches me a bit about cron in the process. I didn’t know you could tell it to only do things on certain days of the week!
I’ve got a local copy saved in case this disappears.
LikeLike
Last year when I was forced to restrict my childen’s time spent at computer I could not find any ideas, so I went on with my approach. Instead of using PAM, as it would allow them to use computer only at certain times, I wrote a small script which relies on wtmp file and accounts total time they spend with PC. Password part us gly, but I never thought I will share this 😀
sac package is needed.
#!/bin/bash
if [ $# -le 1 ] ; then
echo “Usage: username quota ( “$OVER” ]] ; then
if [[ `w $1 -s -h | wc -l` -gt 0 ]] ; then
killall -u $1
killall -s 9 -u $1
sed -i “/^$1/d” /etc/passwd
exit 0
fi
elif [ $VEL -le 10 ] ; then
su – $1 -c “DISPLAY=:0 zenity –warning –title “Brīdinājums” –text \”Paliku\šas $VEL minūtes\!\””
else
EXISTS=`grep -c $1 /etc/passwd`
if [ $EXISTS -le 0 ] ; then
case $1 in
“fridrihs” )
sed -i “/^gdm/afridrihs:x:1002:1001:Fridrihs,,,:/home/fridrihs:/bin/bash” /etc/passwd
;;
“beta” )
sed -i “/^gdm/abeta:x:1001:1001:Beatrise,,,:/home/beta:/bin/bash” /etc/passwd
;;
esac
fi
fi
LikeLike
[…] Update: I found a method for getting the Parental Controls that I needed in Ubuntu. https://skindley.wordpress.com/2006/12/11/fedora-core-6-controlling-logins-by-time/ […]
LikeLike
[…] https://skindley.wordpress.com/2006/12/11/fedora-core-6-controlling-logins-by-time/ […]
LikeLike
[…] […]
LikeLike
Howdy Scott – Let’s suppose we don’t care WHEN the user logs in. We just want to limit the total time per day that the user can be on the system. Do you know how to do that?
LikeLike
Yes I have setup a system for a cyber cafe where users where allowed time on the workstation for a predetermined amount of time. That is of course not within the scope of this article. Frankly there are several ways to go about that and most can become pretty difficult to setup.
For example lets say you want a user to only have 1 hour of time on a workstation in a 24 hour period. Is the 24 hour period defined as 1 hour in the 24 hour period beginning from the time the user first logged in, or 1 hour from 00:00:00 to 23:59:59.
One must also consider what happens if the user logs in for 3 minutes, logs off and logs back in and hour later for 14 minues 36 seconds, logs off and back in again for the remander of the time. This example seems far fetched but believe me I’ve seen situations where a user logged in and out numerous times in a short period of time. It would be a nightmare to script something like this with the basic tools I used in the article.
Again what you are describing is very possible but not very practicle using the basic tools that I’ve used in the article.
LikeLike
First of all, this page was great while setting up an environment for my daughters, thanks!
Some time ago while upgrading to Fedora 1* (can’t remember any more exactly which version) I found out that the following line
login|gdm;*;jordan;Al0800-1800
should be modified a bit
login|gdm-password;*;jordan;Al0800-1800
and then respectively the file that needs to be modified further would be /etc/pam.d/gdm-password instead of /etc/pam.d/gdm
LikeLike
Thanks for the info. I havn’t updated this article beyond Fedora Core 6 (or posted any other articles for that matter) in a long, long time. It’s nice to see this article still referred to after all this time. While file names/locations may change over time between distributions the basic principles are still valid. In fact judging from the stats for this article more people using Ubuntu refer to this article than folks running Fedora/Red Hat distributions 🙂
Enjoy!
LikeLike
[…] Fedora Core 6: Controlling Logins By Time « Scott Kindley […]
LikeLike