lightdm and pam authentication (pam_time)

Bug #880326 reported by hhlp
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
lightdm (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

in previos version of With Ubuntu Linux, it is possible to assign to your computer time restrictions, to prevent the connection of one or more users to your system. With the time restrictions, you can, for example, limit access to the computer for your children (a kind of parental control, in short), or even protect the connection to your server during certain hours.

I use PAM (Pluggable Authentication Modules). It allows you to control user authentication when they connect. Then, we will use the security configuration files to define logon hours allowed. Enable Restrictions hours via the PAM Module

First of all, first go to the /etc/pam.d/, where is all configurable services: This is available by default in the kernel of linux...

If we want to block the connection to the computer, we will have to change the gdm service. Edit the file so gdm and add this line of code (at the end of file):

account required pam_time.so

GDM is the login screen distributions in Ubuntu but in 11.10 this change to Lighdm and i can't get this work again....

I tested this parameter in the follow files :

/etc/pam.d/lightdm and also /etc/pamd./lightdm-autologin

without success .....

I also notice that that som pam parameters change like

auth, session

How i can get this solution available again ??????

regads.,

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: lightdm 1.0.1-0ubuntu6
ProcVersionSignature: Ubuntu 3.0.0-12.20-generic 3.0.4
Uname: Linux 3.0.0-12-generic i686
ApportVersion: 1.23-0ubuntu3
Architecture: i386
Date: Sun Oct 23 13:54:32 2011
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release i386 (20111012)
ProcEnviron:
 PATH=(custom, no user)
 LANG=es_ES.UTF-8
 SHELL=/bin/bash
SourcePackage: lightdm
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
hhlp (hhlp-deactivatedaccount) wrote :
security vulnerability: yes → no
visibility: private → public
Revision history for this message
Jason Conti (jconti) wrote :

I managed to get this to work by editing both /etc/pam.d/lightdm and lightdm-autologin and adding:

account requisite pam_time.so

after the @include common-account line. Also edited /etc/pam.d/login and uncommented the pam_time.so line.

After that, I added a line to /etc/security/time.conf and added a line similar to:

login|lightdm*;*;username;!Al1400-1500

to deny login on all ttys and from lightdm for username between 2 and 3 pm. Works with lightdm-gtk-greeter, although strangely instead of saying 'Permissiong denied' it complains about an invalid password.

Revision history for this message
Robert Ancell (robert-ancell) wrote :

hhlp, did the method that Jason used work for you?

Changed in lightdm (Ubuntu):
status: New → Invalid
status: Invalid → Incomplete
importance: Undecided → Medium
Revision history for this message
Wolfgang Bumiller (sp2-blub) wrote :

My problem might be related: it seems like for whatever reason pam_cap.so is ignored, or the capabilities dropped at some point.
Even if I use "required" in the pam_cap.so line in common-auth, `getpcaps $$` shows an empty inheritable set, whereas when I login via ssh or the console, I get capabilities configured in /etc/security/capability.conf

Revision history for this message
egis (egdamo) wrote :

Jason's Conti method worked for me, but if user is allready logged-in, when a session expires system doesn't disconect it automaticaly - likely you should configure cron command as discribed in http://askubuntu.com/questions/68918/how-do-i-restrict-my-kids-computing-time

Revision history for this message
Robert Ancell (robert-ancell) wrote :

Could you please test this in lightdm 1.1.6 (precise)? There has been a change to the way PAM is handled that should resolve this issue.

Revision history for this message
egis (egdamo) wrote :

I have already tested it in precise, and also configured cron command for disconnecting user session and notifying about it - everything works flawlessly.

Revision history for this message
Robert Ancell (robert-ancell) wrote :

OK, closing. Please reopen if anyone still doesn't have this working. Thanks!

Changed in lightdm (Ubuntu):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.