System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Restricting user to login after there shift

Restricting user to login after there shift

Hi,

 

I have a hp-ux machine and there are 5different groups of users. Now we want to restrict one group of user from login once there shift is over. So it means only 2 group will be able to login at a particular time one is whose shift is there and other one is 24hrs group and rest 3 groups user can't login. Similarly for other groups also for other part of the day.

 

Plz let me know if we can restrict like this any how. 

 

Best regards

syed

13 REPLIES
Johnson Punniyalingam
Honored Contributor

Re: Restricting user to login after there shift

Yes its possible.. what is your hpux  os version ..?

Problems are common to all, but attitude makes the difference

Re: Restricting user to login after there shift

Hi Johnson,

 

It is HP-UX 11.31 64bit.

Johnson Punniyalingam
Honored Contributor

Re: Restricting user to login after there shift

man security or you can use smh to configure

 

Configure Per User Exceptions by entering valid user values as specified in security(4) man page. Enter <default> to remove a per user value. The per user value for the security attributes PASSWORD_MINDAYS, PASSWORD_MAXDAYS and PASSWORD_WARNDAYS cannot be removed individually.

 

Example :- 

 

/usr/sbin/userdbset -u shift1 LOGIN_TIMES=Mon

 

shift1 -> user account name

Login_time = Mon .. user can only login on Monday

Problems are common to all, but attitude makes the difference
Johnson Punniyalingam
Honored Contributor

Re: Restricting user to login after there shift

sorry correction on Login Time filed

Problems are common to all, but attitude makes the difference
Johnson Punniyalingam
Honored Contributor

Re: Restricting user to login after there shift

/usr/sbin/userdbset -u shift1 LOGIN_TIMES=Su

 

Shift1 -> user account , Login_Times=Su -> user can login only on sunday

Problems are common to all, but attitude makes the difference
Johnson Punniyalingam
Honored Contributor

Re: Restricting user to login after there shift

below will be the output

 

Trying...Connected to testserver

.Escape character is '^]'.

Local flow control onTelnet TERMINAL-SPEED option ON
HP-UX test server B.11.31 U ia64 (ta)
login: shift1

Password:

Access is denied by the LOGIN_TIMES attribute in security(4).

Connection closed by foreign host.

Problems are common to all, but attitude makes the difference
Dennis Handly
Acclaimed Contributor

Re: Restricting user to login after their shift

If you need to restrict logins during certain hours of the day, you could put the logic into each user's .profile.  If they are smart enough to defeat that, you would have to put it into /etc/profile.

Re: Restricting user to login after their shift

Hi Dennis,

 

Thnx for your reply, but can u plz let me know the full step how to put the logics in the .profile of each user as well as on /etc/profile.

 

Plz expplain the full steps.

 

Thnx in Advance

James R. Ferguson
Acclaimed Contributor

Re: Restricting user to login after their shift


Syed Furquan Alam wrote:

 

Thnx for your reply, but can u plz let me know the full step how to put the logics in the .profile of each user as well as on /etc/profile.

 


It would be appropriate to spell correctly; "...u plz..." isn't English, but "...you please..." would be.

 

That said, you basically want to determine the current date and or time and compare that to the period(s) you want to allow login.  If the user isn't logging in during his/her allowed period, simply exit.  For example, if you only wanted a user to login Monday through Friday and then only between 0800 and 1700, you might add this to your profile:

 

WDAY=$(date "+%w") # 0-Sunday, 6=Saturday
if [ ${WDAY} -lt 1 -o ${WDAY} -gt 5 ]; then
    echo "Weekend login not allowed"
    exit 1
fi
HOUR=$(date "+%H")
if [ ${HOUR} -lt 8 -o ${HOUR} -gt 16 ]; then
    echo "Invalid login period"
    exit 1
fi

Be advised, that if you choose to do this in '/etc/profile', then you want to make sure that it doesn't apply to the 'root' user --- an exercise left to you.

 

Regards!

 

...JRF...

 

Dennis Handly
Acclaimed Contributor

Re: Restricting user to login after their shift

WDAY=$(date "+%w") # 0-Sunday, 6=Saturday

HOUR=$(date "+%H")

 

Pedantic mode on:

Decades ago starting my first programming job, one of the first things I learned from an old timer is that you never want to ask for the time & date with two calls.  I.e. the first could be right before midnight.

You could also ask for WDAY again (especially if you have a broken OS that doesn't give you both at the same time) and compare, assuming the process didn't hang for 24 hours.  ;-)

James R. Ferguson
Acclaimed Contributor

Re: Restricting user to login after their shift


Dennis Handly wrote:

WDAY=$(date "+%w") # 0-Sunday, 6=Saturday

HOUR=$(date "+%H")

 

Pedantic mode on:

Decades ago starting my first programming job, one of the first things I learned from an old timer is that you never want to ask for the time & date with two calls.  I.e. the first could be right before midnight.


Well, that's not so pedanitc :-)  It's the same consideration we give to avoiding race conditions.

 

I would do better if I had done:

 

DATETIME=$(date "+%w":%H)
WDAY=$(echo ${DATETIME}|cut -d":" -f1)
HOUR=$(echo ${DATETIME}|cut -d":" -f2)

 Regards!

 

...JRF...

 

Re: Restricting user to login after their shift

Hi,

 

How can I make an entry in /etc/profiles because we have different groups of users and their login time are different for each groups and its user. I would like to make the restriction on groups basis since numbers of users is also very high, so it will be very difficult to make an entry in .profile of each users. So I would like to make the restriction for each groups having different working time and day.

 

So if I make an entry in /etc/profile it will effect all users. Right?

 

Appreciate you people all help.

 

Regards

Syed

Dennis Handly
Acclaimed Contributor

Re: Restricting user to login after their shift

>I would like to make the restriction on groups basis since numbers of users is also very high, so it will be very difficult to make an entry in .profile of each users. So I would like to make the restriction for each groups having different working time and day.

 

If each set of users is in a different Unix group, you can check that.

case $(id -ng) in

group1)  check limits ...  # insert logic from JRF's example

   ;;

group2)  check limits ...

   ;;

*)  # These are unlimited

   ;;

esac

 

>So if I make an entry in /etc/profile it will effect all users?

 

Only the ones you want it to do so.