# Fine-grain control over user login, particularly regarding duration



## y2s82 (May 27, 2015)

Hello everyone,

TL,DL; is there a way to assign login time/duration limit? 

I am currently trying to help/convince my father to use a small network of FreeBSD-based computers for his business.  He is trying to offer access to computers for the visitors at his store.  He wants the customers to purchase the computer hours and then use the computer for the maximum of the purchased duration, after which the user is automatically logged off with all instances of programs closed.  I have seen this done quite commonly in the Windows machines in Korea for their famous PC-bangs.  (basically a room/floor full of computers with central unit at the counter that controls the user login period)

Currently, the goal is to have three computers for customers with a central computer at the counter that controls each computer's login parameters.

Thin-client system is ruled out.  I thought of accessing each of the user computers via ssh from central computer and use `sudo pw lock` and `sudo pw unlock` combined with `sleep` to control user login access and duration, but I was hoping there would be a way to better control when the duration would begin, and when it would end.  In fact, is there a way to have three computers to share all user information such that the customer would get an arbitrary login/password at the counter and choose any of the computers to login to, and the login time begins automatically?  I am comfortable with scripting, though oblivious on programming.

Any assistance would be appreciated.


----------



## junovitch@ (May 27, 2015)

login.conf(5) is normally the means to do these kinds of customization.  There is a 'sessiontime' attribute that the manual documents as being reserved for third party applications and not implemented by default.  It does mention time windows as being available however that is different from what you asked.  If anything, I would recommend doing some research on what third party applications are available for Unix/Linux systems in general and seeing if any could fit the bill here.  Something out there must be able to use that 'sessiontime' attribute and give you what you are looking for.


----------



## y2s82 (May 28, 2015)

Thanks for the lead!  I did take a look at that man page, but most apparently I totally missed that attribute.  I'll do some more searching


----------



## junovitch@ (May 28, 2015)

The centralized login capability could come from LDAP, for example net/openldap24-server.  It's just the 'sessiontime' attribute that may be the issue.  I'm not familiar with the topic so it may not be an issue.  It's just some ideas on where to start.  Hope that helps.


----------



## y2s82 (May 28, 2015)

Wow, I have some studying to do to figure out how to use LDAP.  I'm always interested in learning new things 

As for sessiontime, could PAM (such as pam_exec(8)) have some use in it?  I haven't found anything in terms of 3rd-party software though. Also, how does it get enforced?  Is there a way for me to test it out and see if, say, it would kick out a user after 3 seconds of login time?  The man says its reserved, so I wasn't sure how I may gain access to it.


----------



## SirDice (May 28, 2015)

It's explained in the man page:

```
The following capabilities	are reserved for the purposes indicated	and
     may be supported by third-party software.	They are not implemented in
     the base system.
```
So the options are there (i.e. reserved) but nothing from the base OS (this includes pam_exec(8)) uses them.


----------



## y2s82 (May 28, 2015)

Thank you SirDice.  junovitch had explained that to me, too.  How can one interact with reserved parameters for login.conf?  I am guessing scripting is out of question here.  Even in programming, is there any examples I may be able to see?


----------



## junovitch@ (Jun 2, 2015)

All the various section 3 man pages shown by `apropos pam` would give some more specific examples.  This article may be worth a look as well.  It looks like content wise it may be dated but could be a starting point.

https://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/index.html


----------

