pam_deny
Andrew G. Morgan <morgan@parc.power.net>
current Linux-PAM maintainer
account; authentication; password; session
clean.
This module can be used to deny access. It always indicates a failure
to the application through the PAM framework. As is commented in the
overview section
above, this module
might be suitable for using for default (the OTHER
) entries.
This component does nothing other than return a failure. The
failure type is PAM_ACCT_EXPIRED
.
Stacking this module with type account
will prevent the user from
gaining access to the system via applications that refer to
Linux-PAM's account management function pam_acct_mgmt()
.
The following example would make it impossible to login:
#
# add this line to your other login entries to disable all accounts
#
login account required pam_deny.so
This component does nothing other than return a failure. The failure
type is PAM_AUTH_ERR
in the case that pam_authenticate()
is
called (when the application tries to authenticate the user), and is
PAM_CRED_UNAVAIL
when the application calls pam_setcred()
(to establish and set the credentials of the user -- it is unlikely
that this function will ever be called in practice).
To deny access to default applications with this component of the
pam_deny
module, you might include the following line in your
Linux-PAM configuration file:
#
# add this line to your existing OTHER entries to prevent authentication
# succeeding with default applications.
#
OTHER auth required pam_deny.so
This component of the module denies the user the opportunity to change
their password. It always responds with PAM_AUTHTOK_ERR
when
invoked.
This module should be used to prevent an application from updating the
applicant user's password. For example, to prevent login
from
automatically prompting for a new password when the old one has
expired you should include the following line in your configuration
file:
#
# add this line to your other login entries to prevent the login
# application from being able to change the user's password.
#
login password required pam_deny.so
This aspect of the module prevents an application from starting a session on the host computer.
Together with another session module, that displays a message of the
day perhaps (XXX - such a module needs to be written),
this module can be used to block a user from starting a shell. Given
the presence of a pam_motd
module, we might use the following
entries in the configuration file to inform the user it is system
time:
#
# An example to see how to configure login to refuse the user a
# session (politely)
#
login session required pam_motd.so \
file=/etc/system_time
login session required pam_deny.so