Thursday, 7 March 2013

Restrict SSH access based on time


Restricting access to services is a common task that most system administrators need to do in the course of their work. There is more than one way to do this with Linux (see man motd and man issue), but it just so happens that PAM (Pluggable Authentication Modules) will let you do both of the tasks you are trying to accomplish. PAM is a powerful and versatile system that allows any program compiled with it to use its modules for authentication, accounting, etc. Each program has its own configuration file in /etc/pam.d. This is what /etc/pam.d/sshd looks like by default:
vi  /etc/pam.d/sshd
#%PAM-1.0
auth      required pam_stack.so
service=system-auth
auth      required pam_nologin.so
account required pam_stack.so
service=system-auth
password required pam_stack.so
service=system-auth
session required pam_stack.so
service=system-auth
session required pam_loginuid.so

Add pam_time.so module at the top as like below:

#%PAM-1.0
account required pam_time.so
auth      required pam_stack.so
service=system-auth
auth      required pam_nologin.so
account required pam_stack.so
service=system-auth
password required pam_stack.so
service=system-auth
session required pam_stack.so
service=system-auth
session required pam_loginuid.so
session required pam_motd.so
motd=/etc/sshmotd

Now all you need to do is put the message of the day in /etc/sshmotd and add the following to /etc/security/time.conf:
sshd;*;*;!Al0200-0400

You should be very careful with PAM, as it is a very powerful authentication mechanism that can lock even root out of the system. I recommend that you first try any changes in a testing environment.
Reference link : http://www.tuxradar.com/answers/283