I am investigating how to limit user logins via sshd to specific times of day. I have the basic syntax but what I want to know is how does pam_time.so process time.conf.

Say I have a clutch of users that should login between 07:00 and 18:00 Monday to Friday. I infer that the following will handle that:

sshd;*;*,Wk0700-1800

However, what is not clear to me is how does one permit certain userids additional login periods while handling the majority of users as above. Say user01 should also be allowed to logon during Saturday mornings Sa0800-1200 and early evenings the rest of the week wk1830-2100 Do I do this?

sshd:*;user01;AL1830-2100&Wk0700-1800&Sa0800-1200 sshd:*:*:Al1830-2100

or will this work?

sshd:*:user01:Sa0800-1200 sshd:*:user01:Wk1830-2100 sshd:*:*:Al0700-1800

or will this?

sshd:*:*:Al0700-1800 sshd:*:user01:Wk1830-2100 sshd:*:user01:Sa0800-1200

What I am trying to understand is whether the first result encountered, either success or failure, is what is applied to a given login attempt. Or, does the stack progress until success or it ends in which case it fails?

Recasting my question: Is it meaningful to have multiple entries for a singe userid, whether explicitly given or as part of a wildcard, contained in time.conf?