[CentOS] pam_time.so and /etc/security/time.conf

Mon Dec 6 21:11:01 UTC 2010
James B. Byrne <byrnejb at harte-lyne.ca>

I am investigating how to limit user logins via sshd to specific
times of day. I have the basic syntax but what I want to know is how
does pam_time.so process time.conf.

Say I have a clutch of users  that should login between 07:00 and
18:00 Monday to Friday.  I infer that the following will handle
that:

sshd;*;*,Wk0700-1800

However, what is not clear to me is how does one permit certain
userids additional login periods while handling the majority of
users as above. Say user01 should also be allowed to logon during
Saturday mornings Sa0800-1200 and early evenings the rest of the
week wk1830-2100 Do I do this?

sshd:*;user01;AL1830-2100&Wk0700-1800&Sa0800-1200
sshd:*:*:Al1830-2100

or will this work?

sshd:*:user01:Sa0800-1200
sshd:*:user01:Wk1830-2100
sshd:*:*:Al0700-1800

or will this?

sshd:*:*:Al0700-1800
sshd:*:user01:Wk1830-2100
sshd:*:user01:Sa0800-1200

What I am trying to understand is whether the first result
encountered, either success or failure, is what is applied to a
given login attempt.  Or, does the stack progress until success or
it ends in which case it fails?

Recasting my question: Is it meaningful to have multiple entries for
a singe userid, whether explicitly given or as part of a wildcard,
contained in time.conf?

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3