How do I restrict my kids' computing time?
Ubuntu <= 11.10 User's follow this guide for Ubuntu User's >= 11.10 read the Bottom page notice :
Yes all of those programs are out of date and all your questions are answered here and good look with your parent control.....
When we talk about forcing a user to log off, what we’re really talking about is implementing time restrictions on the account for system access or services. The easiest way I’ve found to implement time restrictions is using a plug-in module called Linux-PAM.
Pluggable Authentication Module (PAM) is a mechanism for authenticating users. Specifically, we’re going to use the pam_time
module to control timed access for users to services.
Using the pam_time
module, we can set access restrictions to a system and/or specific applications at various times of the day as well as on specific days or over various terminal lines. Depending on the configuration, you can use this module to deny access to individual users based on their name, the time of day, the day of week, the service they’re applying for, and their terminal from which they’re making the request.
When using pam_time
, you must terminate the syntax of each line (or rule) in the /etc/security/time.conf
file with a newline. You can comment each line with the pound sign [#], and the system will ignore that text until the newline.
Here’s the syntax for a rule:
services;ttys;users;times
The first field — services — is a logic list of PAM service names.
The second field — tty — is a logic list of terminal names.
The third field — users — is a logic list of users or a netgroup of users.
The fourth field — times — indicates the applicable times.
Here’s an example of a typical set of rules:
login ; * ; !bobby ; MoTuWeThFr0800-2000
login ; * ; !root ; !Al0000-2400
http ; * ; !bobby ; MoTuWeThFr0800-2000
http ; * ; !root; !Al0000-2400
These rules restrict user bobby from logging on between the hours of 0800 and 2000, and they also restrict Internet access during these hours. Root would be able to logon at any time and browse the Internet during all times as well.
Note: The system logs errors with these rules as syslog(3).
With Ubuntu Linux, it is possible to assign to your computer time restrictions, to prevent the connection of one or more users to your system. With the time restrictions, you can, for example, limit access to the computer for your children (a kind of parental control, in short), or even protect the connection to your server during certain hours.
Manual Configuration
Understand what you will do
Throughout this tutorial, we will use PAM (Pluggable Authentication Modules, English Pluggable Authentication Modules). It allows you to control user authentication when they connect. Then, we will use the security configuration files to define logon hours allowed. These manipulations can be performed on any version of Ubuntu, and require only a simple text editor (vim, emacs, nano, gedit, kate, to name a few). Enable Restrictions hours via the PAM Module
First of all, first go to the /etc/pam.d/
, where is all configurable services:
$ Ls /etc/pam.d/
atd common-account common-session gdm login ppp sudo
chfn common-auth cron gdm-autologin Other samba
chsh common-cupsys gnome-screensaver password passwd su
If we want to block the connection to the computer, we will have to change the gdm service. Edit the file so gdm and add this line of code (at the end of file):
account required pam_time.so
GDM is the login screen distributions Ubuntu, Edubuntu and Xubuntu. For Kubuntu, which uses KDE, kdm service is called, it will be the file it will open. And you're done for configuring the PAM! This will enable the control of hours on this service.
If you have a server, you probably do not have no GUI. In this case, GDM / KDM not installed and the connection will not be blocked. To prevent connection to TTY, you must modify the login of the same file, and add the same line of code than previously acknowledged. This action also applies to people who have installed a GUI and want to block access to the login screen and terminals.
Configure Access Hours
Now that the PAM service has been activated, we only have to configure access times. Open the /etc/security
. Several configuration files are available:
$ Ls /etc/security/
access.conf namespace.conf pam_env.conf
group.conf namespace.init time.conf
limits.conf opasswd time.conf.bak
Edit the file time.conf
. Some explanations and examples (English) introducing the. To set access schedules, copy and paste the following line of code (at the end of the file, as always):
*;*;user;scheduler
Instead of the user field, enter the login account you want to block.
If you want to block multiple users, enter their login in a row, separated by the | operator. For example, if I want to freeze the accounts of Patrick, John and Emily:
*;*;Patrick|jean|emilie;scheduler
By cons, if you want to block access to the system for all users but one in particular, use the! before the person concerned. For example, if I want access to the computer is denied to all users, except Nicolas and Xavier:
Nicolas *;*;!|xavier;scheduler
Turning now to the field zones. In this field that the selection of days and hours will be allowed connection possible. You must first specify the day of the week, using the following abbreviations:
Mo : Monday Fr : Friday Wd : Sa/Su
Tu : Tuesday Sa : Saturday wk : Mo/Tu/We/Th/Fr
We : Wenesday Su : Sunday
Th : Thursday Al : All Days
Be careful not to confuse the abbreviations Wk and Wd are misleading! particularly poorly identified on the Internet: you can easily find conflicting information!
Then, we specify the deadlines. These should be formatted 24H, consisting of 4 digits. For example, to restrict 3:17 p.m. to 6:34 p.m., we write: 1517-1834. To allow Marie to connect only on Tuesday, from 3:17 p.m. to 6:34 p.m., we obtain the result:
*;*;marie;Tu1517-1834
Connections outside of these hours will be banned. As for users, it is possible to use the operators | and! to indicate several times (the! then indicate that all logon hours are allowed, except those to be shown).
The two stars (wildcards) at the beginning of the line of code are, respectively, and tty services fields. Since you want to block all access to the system, it is unnecessary to specify what service or what tty you want to block. However, if you want to prevent the use of a particular service, simply specify it as the following example:
login;tty1|tty4|tty5;marie;!Wd0000-2400
Thus, the user marry can not connect to a TTY, 4 and 5 during the weekend.
Some Examples of Restrictions Schedule
mathilde is allowed to connect every day from 1:20 p.m. to 3:20 p.m. and from 4:00 p.m. to 8:30 p.m.:
*;*;mathilde;Al1320-1520|Al1600-2030
Stone, Frank and Florian are allowed to connect to 2:00 p.m. to 6:45 p.m. during the weekdays, and 2:00 p.m. to 10:15 p.m. for the weekend:
*;*;Stone|franck|florian;Wk1400-1845|Wd1400-2215
Olive is never allowed to connect. jessica can log on Wednesday from 1:00 p.m. to 4:00 p.m.:
*;*;olivier;!Al0000-2400
*;*;jessica;We1300-1600
2 different lines, for two different time for each user Expiration of a Session
When a session expires (it exceeds the time while the user is already connected), the PAM can reach the user. While mathilde connects during the hours of time allowed, it is perfectly free to exceed these hours! For this, we will use a new program: ´cron´. This application executes commands at intervals of time. In our case, we will make use of command ´skill-KILL-u´ to disconnect the user when the session expires. Handling is very simple. Simply edit the file ´/etc/crontab´. Then add the following line of code:
Minute Hour Day * * (s) root skill -KILL -u User
As before, replacing the Minute field schedules and time desired. Then fill in the day (s) by (s) day (s) banned (s), or simply type an asterisk (*) to indicate all days of the week. Finally, change the field used by the login account to be blocked, and voila!
Days do not notice the same way with the cron
jobs! Here is the list of abbreviations to be used with this program:
mon : monday fri : friday
tue : tuesday sat : saturday
wed : wednesady sun : sunday
thu : thursday * : all hours
Some Examples of cron
jobs (with examples of times in the previous section)
jessica can log on Wednesday from 1:00 p.m. to 4:00 p.m.
-> Disconnect: Tuesday at 4:00 p.m..
00 16 * root * wed skill -KILL -u jessica
mathilde is allowed to connect every day from 1:20 p.m. to 3:20 p.m. and from 4:00 p.m. to 8:30 p.m..
-> Disconnecting: Daily, 8:30 p.m. to 3:20 p.m. ET.
20 15 * * * root skill -KILL -u mathilde
30 20 * * * root skill -KILL -u mathilde
Stone, Frank and Florian are allowed to connect to 2:00 p.m. to 6:45 p.m. during the weekdays, and 2:00 p.m. to 10:15 p.m. for the weekend
-> Disconnect (1): Monday, Tuesday, Wednesday, Thursday and Friday, at 18:45. -> Disconnect (2): Saturday and Sunday at 10:15 p.m..
45 18 * * mon,tue,wed,thu,fri root skill -KILL -u stone && skill -KILL -u franck && skill -KILL -u florian
15 22 * * sat,sun root skill -KILL -u stone && skill -KILL -u franck && skill -KILL -u florian
The command skill-KILL-u disconnects the user from the GUI, as well as TTY. It is perfectly usable for server administrators. However, this command is immediate and the disconnection will be made without notice. It would therefore be preferable to prevent the installation of this device users of the computer or network in question!
It is possible to prevent users with a wall
command launched by cron
few minutes before the end of the timeframe, that will be displayed in the terminals of all users.
40 18 * * Mon,Tue,wed,thu,fri root echo "end of session in 5 minutes" | wall
To prevent users from GUI can be used in place of the wall command notify-send
is in the package libnotify-bin
40 18 * * Mon,Tue,wed,thu,fri stone DISPLAY=:0 notify-send "end of session in 5 minutes"
Ubuntu 11.10 User's
I've seen around user having problems with Pam and i saw alot of bug about that so Why is the reason??? is so simple Ubuntu 11.10 doens't support GDM anymore the new display manager is lightGDM the problem is the follow where store this directive account required pam_time.so
i think is in /etc/pam.d/lightdm
or /etc/pam.d/lightdm-autologin
but bug how ???
so for just around you can check this 2 LightGdm log files :
- /var/log/lightdm/lightdm.log
- /var/log/lightdm/x-0.log
or run LightGdm in debug mode :
LightDM --debug
or report a bug :
ubuntu-bug lightdm
I report the Bug's here so cross your finger and wait....
TimeKpr
I guess it has everything you need. Limit access time per day per user, easy gui for configuration, abitlity to bypass for a day, add some "reward time", notification of remaining time for users, etc.
The project page is here. They also have a PPA for ubuntu which you can add to your Software Sources: deb http://ppa.launchpad.net/timekpr-maintainers/ppa/ubuntu lucid main
. And install via Software Center or via CLI: sudo apt-get install timekpr
.
Timekpr
can be used in 11.10 running LightDM to setup restrictions for users by adding the following line to /etc/pam.d/lightdm
account required pam_time.so
We may need to remove libpam-smbpass to enable user switching until bug #835310 is fixed.
All restrictons defined in the application window work as defined in the timekpr GUI.
To display the timekpr-client icon in Unity we need to whitelist 'timekpr'
in Unity panel settings, and in addition we need to add Unity
to the following line in /etc/xdg/autostart/timekpr-client.desktop
:
OnlyShowIn=GNOME;XFCE;KDE;Unity;
To start the countdown of the time granted we may have to start the timekpr daemon with
/etc/init.d/timekpr start
for 14.04:
A newer release/fork of timekpr was published for Ubuntu 14.04 by Eduards Bezverhijs in his ppa:mjasnik/ppa
.