Restrict SSH access based on time, and printing usage message

Q I have recently been given the task of running our internal Linux systems. We are planning to allow our developers to have remote SSH access. One of the requirements is that all users connecting from the exterior be presented with a message stating the terms and conditions of usage. Could you give me some hints on how I could get this configured in a RHEL4 operating system? Also, do you know if it is possible to prevent logins between 2 and 4 am? I have some Cron jobs running at this time that are quite resource intensive, and don't want people logging in and consuming more resources.

A Restricting access to services is a common task that most system administrators need to do in the course of their work. There is more than one way to do this with Linux (see man motd and man issue), but it just so happens that PAM (Pluggable Authentication Modules) will let you do both of the tasks you are trying to accomplish. PAM is a powerful and versatile system that allows any program compiled with it to use its modules for authentication, accounting, etc. Each program has its own configuration file in /etc/pam.d. This is what /etc/pam.d/sshd looks like by default:

#%PAM-1.0
auth      required pam_stack.so
service=system-auth
auth      required pam_nologin.so
account required pam_stack.so
service=system-auth
password required pam_stack.so
service=system-auth
session required pam_stack.so
service=system-auth
session required pam_loginuid.so

For consistency, Red Hat configures PAM so that all modules that provide system authentication use stacked authentication rules (/etc/pam.d/system-auth). Since we do not want the message to appear for any other service, we need to change /etc/pam.d/sshd only. We will also add the pam_time lines to prevent SSH logins from 2 to 4 am. This is what it would look like:

#%PAM-1.0
account required pam_time.so
auth      required pam_stack.so
service=system-auth
auth      required pam_nologin.so
account required pam_stack.so
service=system-auth
password required pam_stack.so
service=system-auth
session required pam_stack.so
service=system-auth
session required pam_loginuid.so
session required pam_motd.so
motd=/etc/sshmotd

Now all you need to do is put the message of the day in /etc/sshmotd and add the following to /etc/security/time.conf:

sshd;*;*;!Al0200-0400

You should be very careful with PAM, as it is a very powerful authentication mechanism that can lock even root out of the system. I recommend that you first try any changes in a testing environment.

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar