pam_time

Add to a PAM service configuration file (e.g., /etc/pam.d/sshd):
account required|requisite pam_time.so [debug] [no_warn] [deny|allow] [file=/path/to/time.conf] [field=DELIMITER]

debug
    Logs verbose debugging information to syslog, which is highly useful for troubleshooting module behavior and understanding rule evaluation.

no_warn
    Suppresses warning messages generated by the module from being logged to syslog, resulting in cleaner log output.

deny
    When specified, this module option sets the default behavior to deny access if no specific rules in the time.conf file match the current context. This option is mutually exclusive with allow.

allow
    When specified, this module option sets the default behavior to allow access if no specific rules in the time.conf file match the current context. This is the default behavior if neither deny nor allow is provided. It is mutually exclusive with deny.

file=/path/to/time.conf
    Provides an alternative path to the module's configuration file, overriding the standard location of /etc/security/time.conf. This is useful for custom or service-specific configurations.

field=DELIMITER
    Defines a custom character to be used as a field separator within the configuration file rules, instead of the default semicolon (;). This allows for flexibility in rule file formatting.

pam_time is a PAM (Pluggable Authentication Modules) module designed to enforce time-based access control for system services. It limits whether a user can access a particular service based on criteria such as the current time of day, the specific day of the week, and even the terminal (tty) from which the connection is initiated.

Operating at the account management stage of the PAM transaction, pam_time consults its configuration file, typically /etc/security/time.conf, for a set of predefined rules. These rules dictate when and under what circumstances access is allowed or denied. This module is an essential tool for system administrators seeking to implement granular time-of-use policies, for example, restricting network logins or shell access to specific working hours or preventing out-of-hours activity for certain user groups. Its flexible rule syntax allows for precise control over service availability.

pam_time functions exclusively within the PAM framework and is not a standalone command executed from the shell. Its effectiveness is entirely dependent on correct integration into PAM service files and the accuracy of the rules defined in /etc/security/time.conf.

Misconfiguration, particularly incorrect rule syntax or inappropriate default settings (e.g., deny without exhaustive rules), can lead to unintended access restrictions or even system lockouts for legitimate users. It strictly operates at the account management interface within the PAM stack and does not directly influence authentication credential verification or session management.

The rules governing pam_time are typically defined in the /etc/security/time.conf file. Each rule must be on a single line and consists of four distinct fields, separated by semicolons (;) by default:
1. services: A comma-separated list of PAM service names (e.g., login, sshd). An asterisk (*) can be used to match all services.
2. ttys: A comma-separated list of terminal names or patterns (e.g., console, tty*). An asterisk (*) matches all terminals.
3. users: A comma-separated list of usernames or group names (prefixed with %). An asterisk (*) matches all users.
4. times: A string defining the allowed days and times.

The times field utilizes a specific, compact syntax for specifying allowed periods:
- Days of the week: Represented by two letters: Mo, Tu, We, Th, Fr, Sa, Su. Ranges (e.g., Mo-Fr) or single-letter abbreviations (e.g., W for weekdays, A for all days) are also supported.
- Time ranges: Indicated by four digits for start and end times (HHMM), separated by a hyphen (e.g., 0900-1700). Times can wrap around midnight (e.g., 2300-0200).

Example: The rule sshd;*;john;Al0900-1700 would permit user 'john' to log in via SSH any day of the week between 9 AM and 5 PM.

To activate pam_time's functionality, it must be added to the account management interface section within the relevant PAM service configuration file (e.g., /etc/pam.d/sshd or /etc/pam.d/login).

A typical entry in a PAM service file might appear as:
account required pam_time.so

The strategic placement of this line within the PAM stack is critical. It should generally be placed before any other modules that might unconditionally allow access, ensuring that time restrictions are evaluated first.

As a foundational PAM module, pam_time has been an integral component of the Linux-PAM project since its early development. Its inclusion addressed the critical need for flexible, system-level time-based access control, a common requirement in shared or enterprise computing environments. The module's design exemplifies the modular and extensible philosophy of the PAM architecture, allowing it to be seamlessly integrated into various system services without requiring modifications to the services themselves, thereby enhancing system security and administrative control.

pam(8), pam.conf(5), time.conf(5), login(1), sshd(8), su(1)