The setting: A remote Linux server with about 10 users running CentOS 6.5. The users use a username/password to connect to the server with PuTTY. Certain users need to have X11 forwarding available, but others do not need and must not be able to use X11 forwarding, but they can login remotely. For the users with X11 forwarding, if they run a GUI application for more than an hour, it is killed automatically.

How can I apply these restrictions?

P.S. I could enable the X11 forwarding by modifying the sshd config file. However, I cannot do the rest.