FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Edubuntu User

 
 
LinkBack Thread Tools
 
Old 05-19-2008, 09:18 PM
Kai Wollweber
 
Default time dependent denial of login

Hi,

we want to enable/disable clients in classrooms depending on a timetable. This
means not to disable any user at all. Intended is to disable certain
terminals.

At a given time a new login should be impossible whereas a running session may
continue.

Is it possible to disable login on a certain set of clients at given times?

My first idea is to overwrite lts.conf by crontab. The disabled clients would
get a non existing LDM_SERVER. Im not happy with this approach.

Any better ideas?
TIA
--
Kai Wollweber
Integrierte Gesamtschule
Eckernförde

--
edubuntu-users mailing list
edubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/edubuntu-users
 
Old 05-19-2008, 10:06 PM
Gavin McCullagh
 
Default time dependent denial of login

Hi,

On Mon, 19 May 2008, Kai Wollweber wrote:

> we want to enable/disable clients in classrooms depending on a timetable. This
> means not to disable any user at all. Intended is to disable certain
> terminals.
>
> At a given time a new login should be impossible whereas a running session may
> continue.

This doesn't sound foolproof to me -- ie I can forsee issues with people
getting bumped out by accident and not being able to login again. However,
with that rider, I might make some suggestions.

> Is it possible to disable login on a certain set of clients at given times?
>
> My first idea is to overwrite lts.conf by crontab. The disabled clients would
> get a non existing LDM_SERVER. Im not happy with this approach.

If modifying lts.conf, it might be nicer to set:

LDM_REMOTECMD=/usr/sbin/nologin

which (I hope) would give back a slightly more sensible error "This account
is currently not available". This could hopefully be displayed by LDM
(though I'm not sure of that).

Alternatively, if you have static IPs, you could block ssh access from
certain IPs with a firewall rule which could be added and removed by a cron
job. Shorewall would be a bit extreme for something so simple, but they do
mention such an idea here.

http://lists.shorewall.net/pipermail/shorewall-users/2004-July/013880.html

Gavin


--
edubuntu-users mailing list
edubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/edubuntu-users
 
Old 05-19-2008, 10:28 PM
Daniel Kahn Gillmor
 
Default time dependent denial of login

On Mon 2008-05-19 17:18:14 -0400, Kai Wollweber wrote:

> we want to enable/disable clients in classrooms depending on a
> timetable. This means not to disable any user at all. Intended is to
> disable certain terminals.
>
> At a given time a new login should be impossible whereas a running
> session may continue.
>
> Is it possible to disable login on a certain set of clients at given
> times?

The most common way to do something like this is with PAM, using the
pam_time module, and modifying /etc/security/time.conf to affect the
relevant services.

For further details, see:

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_time.html

If you're unfamiliar with using PAM to administer your system, you
might want to start from the beginning of the PAM systems'
administrators guide. It's a very flexible (if somewhat arcane) system:

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html

Regards,

--dkg
--
edubuntu-users mailing list
edubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/edubuntu-users
 
Old 05-20-2008, 04:45 PM
Kai Wollweber
 
Default time dependent denial of login

Hi Daniel,

On Tuesday 20 May 2008 00:28:31 Daniel Kahn Gillmor wrote:

> > Is it possible to disable login on a certain set of clients at given
> > times?
>
> The most common way to do something like this is with PAM, using the
> pam_time module, and modifying /etc/security/time.conf to affect the
> relevant services.
>

Your idea looks fine at first sight. But I still see some problems.

In the pam howto I read about time.conf:

The syntax is as follows:

services;ttys;users;times

[snip]

The second field, the tty field, is a logic list of terminal names that this
rule applies to.

I understand the rules but I have no idea how a logical tty is assigned to the
physical terminal, identified by its IP. The command 'last' shows who was
logged in and which tty was assigned to the physical terminal:

annoes pts/37 192.168.0.226 Thu May 15 14:27 - 14:48 (00:21)
finsch pts/38 192.168.0.210 Thu May 15 14:22 - 16:34 (02:11)
linjai pts/37 192.168.0.209 Thu May 15 14:22 - 14:23 (00:01)

As we can see the pts/37 is assigned to different clients and if I got it
right the time.conf of pam can setup rules on tty but not on IP. "pts/*" e.g.
would affect all clients connecting on a pts. But our problem is to disable
only some terminal clients while others need to stay enabled.

--
Kai Wollweber
Integrierte Gesamtschule
Eckernförde

--
edubuntu-users mailing list
edubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/edubuntu-users
 

Thread Tools




All times are GMT. The time now is 02:32 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org