Some systems have the ability to restrict the circumstances under which each user may log in. In particular, you could specify times of day and days of the week for each account during which a user may not log in. You could also restrict the login account to a particular terminal line. These features are also available through the Pluggable Authentication Modules (PAM) module pam_time.

These restrictions are useful additional features to have, if they are available. They help prohibit access to accounts that are used only in a limited environment, thus narrowing the “window of opportunity” an attacker might have to exploit the system.

For example, if your system is used in a business setting, perhaps the receptionist will never log in from any network terminal, and he is never at work outside the hours of 7:00 a.m. to 7:00 p.m. on weekdays. Thus, you could configure his account to prohibit any logins outside those terminals and those hours. If an attacker knew the account existed and was involved in password cracking or other intelligence gathering over an off-site network connection, she would not be able to get in even if she stumbled across the correct password.

If your system does not support this feature yet, you can ask your vendor when it will be provided. If you want to ...