How do I restrict my kids' computing time?

Access to our computer (not only to the internet) needs to be restricted for the accounts of my kids (7, 8) until they are old enough to manage this by themselves. Until then we need to be able to define the following:

  • the hours of the day when computing is o.k. (e.g. 5 - 9 pm)
  • the days of the week when computing is not o.k. (e.g. mondays to fridays)
  • the amount of time allowed per day (e.g. 2 hours)

In 11.10 all of the following that used to do the job don't work any more:

  • Timekpr: for > 11.10 no more available through the ppa.
  • Timeoutd: command line alternative, but from 11.10 removed from the repositories.
  • Gnome Nanny: Looks great but repeatedly crashes to force restarting X-server. So we can't use or recommed this program at the moment.

Are there any other alternatives?


Solution 1:

Ubuntu <= 11.10 User's follow this guide for Ubuntu User's >= 11.10 read the Bottom page notice :

Yes all of those programs are out of date and all your questions are answered here and good look with your parent control.....

When we talk about forcing a user to log off, what we’re really talking about is implementing time restrictions on the account for system access or services. The easiest way I’ve found to implement time restrictions is using a plug-in module called Linux-PAM.

Pluggable Authentication Module (PAM) is a mechanism for authenticating users. Specifically, we’re going to use the pam_time module to control timed access for users to services.

Using the pam_time module, we can set access restrictions to a system and/or specific applications at various times of the day as well as on specific days or over various terminal lines. Depending on the configuration, you can use this module to deny access to individual users based on their name, the time of day, the day of week, the service they’re applying for, and their terminal from which they’re making the request.

When using pam_time, you must terminate the syntax of each line (or rule) in the /etc/security/time.conf file with a newline. You can comment each line with the pound sign [#], and the system will ignore that text until the newline.

Here’s the syntax for a rule:

services;ttys;users;times

The first field —  services — is a logic list of PAM service names.
The second field — tty — is a logic list of terminal names.
The third field — users — is a logic list of users or a netgroup of users.
The fourth field — times — indicates the applicable times.

Here’s an example of a typical set of rules:

login ; * ; !bobby ; MoTuWeThFr0800-2000
login ; * ; !root ; !Al0000-2400
http ; * ; !bobby ; MoTuWeThFr0800-2000
http ; * ; !root; !Al0000-2400

These rules restrict user bobby from logging on between the hours of 0800 and 2000, and they also restrict Internet access during these hours. Root would be able to logon at any time and browse the Internet during all times as well.

Note: The system logs errors with these rules as syslog(3).


With Ubuntu Linux, it is possible to assign to your computer time restrictions, to prevent the connection of one or more users to your system. With the time restrictions, you can, for example, limit access to the computer for your children (a kind of parental control, in short), or even protect the connection to your server during certain hours.

Manual Configuration

Understand what you will do

Throughout this tutorial, we will use PAM (Pluggable Authentication Modules, English Pluggable Authentication Modules). It allows you to control user authentication when they connect. Then, we will use the security configuration files to define logon hours allowed. These manipulations can be performed on any version of Ubuntu, and require only a simple text editor (vim, emacs, nano, gedit, kate, to name a few). Enable Restrictions hours via the PAM Module

First of all, first go to the /etc/pam.d/, where is all configurable services:

$ Ls /etc/pam.d/
atd common-account common-session gdm login ppp sudo
chfn common-auth cron gdm-autologin Other samba
chsh common-cupsys gnome-screensaver password passwd su

If we want to block the connection to the computer, we will have to change the gdm service. Edit the file so gdm and add this line of code (at the end of file):

account required pam_time.so

GDM is the login screen distributions Ubuntu, Edubuntu and Xubuntu. For Kubuntu, which uses KDE, kdm service is called, it will be the file it will open. And you're done for configuring the PAM! This will enable the control of hours on this service.

If you have a server, you probably do not have no GUI. In this case, GDM / KDM not installed and the connection will not be blocked. To prevent connection to TTY, you must modify the login of the same file, and add the same line of code than previously acknowledged. This action also applies to people who have installed a GUI and want to block access to the login screen and terminals.

Configure Access Hours

Now that the PAM service has been activated, we only have to configure access times. Open the /etc/security. Several configuration files are available:

$ Ls /etc/security/
access.conf namespace.conf pam_env.conf
group.conf namespace.init time.conf
limits.conf opasswd time.conf.bak

Edit the file time.conf. Some explanations and examples (English) introducing the. To set access schedules, copy and paste the following line of code (at the end of the file, as always):

*;*;user;scheduler

Instead of the user field, enter the login account you want to block.

If you want to block multiple users, enter their login in a row, separated by the | operator. For example, if I want to freeze the accounts of Patrick, John and Emily:

*;*;Patrick|jean|emilie;scheduler

By cons, if you want to block access to the system for all users but one in particular, use the! before the person concerned. For example, if I want access to the computer is denied to all users, except Nicolas and Xavier:

Nicolas *;*;!|xavier;scheduler

Turning now to the field zones. In this field that the selection of days and hours will be allowed connection possible. You must first specify the day of the week, using the following abbreviations:

Mo : Monday     Fr : Friday     Wd : Sa/Su
Tu : Tuesday    Sa : Saturday   wk : Mo/Tu/We/Th/Fr
We : Wenesday   Su : Sunday
Th : Thursday   Al : All Days

Be careful not to confuse the abbreviations Wk and Wd are misleading! particularly poorly identified on the Internet: you can easily find conflicting information!

Then, we specify the deadlines. These should be formatted 24H, consisting of 4 digits. For example, to restrict 3:17 p.m. to 6:34 p.m., we write: 1517-1834. To allow Marie to connect only on Tuesday, from 3:17 p.m. to 6:34 p.m., we obtain the result:

*;*;marie;Tu1517-1834

Connections outside of these hours will be banned. As for users, it is possible to use the operators | and! to indicate several times (the! then indicate that all logon hours are allowed, except those to be shown).

The two stars (wildcards) at the beginning of the line of code are, respectively, and tty services fields. Since you want to block all access to the system, it is unnecessary to specify what service or what tty you want to block. However, if you want to prevent the use of a particular service, simply specify it as the following example:

login;tty1|tty4|tty5;marie;!Wd0000-2400

Thus, the user marry can not connect to a TTY, 4 and 5 during the weekend.

Some Examples of Restrictions Schedule

mathilde is allowed to connect every day from 1:20 p.m. to 3:20 p.m. and from 4:00 p.m. to 8:30 p.m.:

*;*;mathilde;Al1320-1520|Al1600-2030

Stone, Frank and Florian are allowed to connect to 2:00 p.m. to 6:45 p.m. during the weekdays, and 2:00 p.m. to 10:15 p.m. for the weekend:

*;*;Stone|franck|florian;Wk1400-1845|Wd1400-2215

Olive is never allowed to connect. jessica can log on Wednesday from 1:00 p.m. to 4:00 p.m.:

*;*;olivier;!Al0000-2400
*;*;jessica;We1300-1600

2 different lines, for two different time for each user Expiration of a Session

When a session expires (it exceeds the time while the user is already connected), the PAM can reach the user. While mathilde connects during the hours of time allowed, it is perfectly free to exceed these hours! For this, we will use a new program: ´cron´. This application executes commands at intervals of time. In our case, we will make use of command ´skill-KILL-u´ to disconnect the user when the session expires. Handling is very simple. Simply edit the file ´/etc/crontab´. Then add the following line of code:

Minute Hour Day * * (s) root skill -KILL -u User

As before, replacing the Minute field schedules and time desired. Then fill in the day (s) by (s) day (s) banned (s), or simply type an asterisk (*) to indicate all days of the week. Finally, change the field used by the login account to be blocked, and voila!

Days do not notice the same way with the cron jobs! Here is the list of abbreviations to be used with this program:

mon : monday    fri : friday
tue : tuesday   sat : saturday
wed : wednesady sun : sunday
thu : thursday   *  : all hours

Some Examples of cron jobs (with examples of times in the previous section)

jessica can log on Wednesday from 1:00 p.m. to 4:00 p.m.

-> Disconnect: Tuesday at 4:00 p.m..

00 16 * root * wed skill -KILL -u jessica

mathilde is allowed to connect every day from 1:20 p.m. to 3:20 p.m. and from 4:00 p.m. to 8:30 p.m..

-> Disconnecting: Daily, 8:30 p.m. to 3:20 p.m. ET.

20 15 * * * root skill -KILL -u mathilde
30 20 * * * root skill -KILL -u mathilde

Stone, Frank and Florian are allowed to connect to 2:00 p.m. to 6:45 p.m. during the weekdays, and 2:00 p.m. to 10:15 p.m. for the weekend

-> Disconnect (1): Monday, Tuesday, Wednesday, Thursday and Friday, at 18:45. -> Disconnect (2): Saturday and Sunday at 10:15 p.m..

45 18    * * mon,tue,wed,thu,fri   root    skill -KILL -u stone && skill -KILL -u franck && skill -KILL -u florian
15 22    * * sat,sun               root    skill -KILL -u stone && skill -KILL -u franck && skill -KILL -u florian

The command skill-KILL-u disconnects the user from the GUI, as well as TTY. It is perfectly usable for server administrators. However, this command is immediate and the disconnection will be made without notice. It would therefore be preferable to prevent the installation of this device users of the computer or network in question!

It is possible to prevent users with a wall command launched by cron few minutes before the end of the timeframe, that will be displayed in the terminals of all users.

40 18 * * Mon,Tue,wed,thu,fri root echo "end of session in 5 minutes" | wall

To prevent users from GUI can be used in place of the wall command notify-send is in the package libnotify-bin Install X

40 18 * * Mon,Tue,wed,thu,fri stone DISPLAY=:0 notify-send "end of session in 5 minutes"

Ubuntu 11.10 User's

I've seen around user having problems with Pam and i saw alot of bug about that so Why is the reason??? is so simple Ubuntu 11.10 doens't support GDM anymore the new display manager is lightGDM the problem is the follow where store this directive account required pam_time.so i think is in /etc/pam.d/lightdm or /etc/pam.d/lightdm-autologin but bug how ???

so for just around you can check this 2 LightGdm log files :

  • /var/log/lightdm/lightdm.log
  • /var/log/lightdm/x-0.log

or run LightGdm in debug mode :

LightDM --debug

or report a bug :

ubuntu-bug lightdm

I report the Bug's here so cross your finger and wait....

Solution 2:

TimeKpr

I guess it has everything you need. Limit access time per day per user, easy gui for configuration, abitlity to bypass for a day, add some "reward time", notification of remaining time for users, etc.

The project page is here. They also have a PPA for ubuntu which you can add to your Software Sources: deb http://ppa.launchpad.net/timekpr-maintainers/ppa/ubuntu lucid main. And install via Software Center or via CLI: sudo apt-get install timekpr.

Solution 3:

Auto-logoff is extremely frustrating if you are in the middle of something. It's violent, it's brutal, it's plain rude. And it doesn't matter how old you are. It's one thing when you are just computer addicted and it's very different when you are tracking time and get kicked out 5 seconds before you managed to click that submit button or save your document. I suggest you to consider using an auto-reminder instead of an auto-kicker. That will teach your kids to respect each other and allow each other to use the computer willingly.

There's even a lighter alternative. Start by tracking the amount of time that each kid spends using the computer and make the gathered data available for all of them so they can see it. This incredibly simple thing alone (applied to internet bandwidth spent) has saved my life when I was being the network admin in an office full of adults. The public stats about bandwidth usage for each computer (just the amount of bytes, not deanonymizing info like lists of visited sites etc) turned the situation from "me - the evil greedy admin against them - the poor abused office users" to "man, you downloaded 5 times more than me, that's bad!" "sorry, I downloaded indeed, I watched a lot of youtube during lunch breaks, won't do it anymore at this rate" - I was simply excluded from the confrontation scenario.