Fine-grain control over user login, particularly regarding duration

Y

y2s82

Hello everyone,

TL,DL; is there a way to assign login time/duration limit?

I am currently trying to help/convince my father to use a small network of FreeBSD-based computers for his business. He is trying to offer access to computers for the visitors at his store. He wants the customers to purchase the computer hours and then use the computer for the maximum of the purchased duration, after which the user is automatically logged off with all instances of programs closed. I have seen this done quite commonly in the Windows machines in Korea for their famous PC-bangs. (basically a room/floor full of computers with central unit at the counter that controls the user login period)

Currently, the goal is to have three computers for customers with a central computer at the counter that controls each computer's login parameters.

Thin-client system is ruled out. I thought of accessing each of the user computers via ssh from central computer and use sudo pw lock and sudo pw unlock combined with sleep to control user login access and duration, but I was hoping there would be a way to better control when the duration would begin, and when it would end. In fact, is there a way to have three computers to share all user information such that the customer would get an arbitrary login/password at the counter and choose any of the computers to login to, and the login time begins automatically? I am comfortable with scripting, though oblivious on programming.

Any assistance would be appreciated. :)
 
login.conf(5) is normally the means to do these kinds of customization. There is a 'sessiontime' attribute that the manual documents as being reserved for third party applications and not implemented by default. It does mention time windows as being available however that is different from what you asked. If anything, I would recommend doing some research on what third party applications are available for Unix/Linux systems in general and seeing if any could fit the bill here. Something out there must be able to use that 'sessiontime' attribute and give you what you are looking for.
 
Thanks for the lead! I did take a look at that man page, but most apparently I totally missed that attribute. I'll do some more searching :D
 
The centralized login capability could come from LDAP, for example net/openldap24-server. It's just the 'sessiontime' attribute that may be the issue. I'm not familiar with the topic so it may not be an issue. It's just some ideas on where to start. Hope that helps.
 
Wow, I have some studying to do to figure out how to use LDAP. I'm always interested in learning new things :)

As for sessiontime, could PAM (such as pam_exec(8)) have some use in it? I haven't found anything in terms of 3rd-party software though. Also, how does it get enforced? Is there a way for me to test it out and see if, say, it would kick out a user after 3 seconds of login time? The man says its reserved, so I wasn't sure how I may gain access to it.
 
It's explained in the man page:
Code: 
The following capabilities	are reserved for the purposes indicated	and
     may be supported by third-party software.	They are not implemented in
     the base system.
So the options are there (i.e. reserved) but nothing from the base OS (this includes pam_exec(8)) uses them.
 
Thank you SirDice. junovitch had explained that to me, too. How can one interact with reserved parameters for login.conf? I am guessing scripting is out of question here. Even in programming, is there any examples I may be able to see?
 
You must log in or register to reply here.
Back
Top