The Linux-PAM System Administrators' Guide: A reference guide for available modules: The locking-out module

Previous Next Contents

6.3 The locking-out module

Synopsis

Module Name:

pam_deny

Author:

Andrew G. Morgan <morgan@parc.power.net>

Maintainer:

current Linux-PAM maintainer

Management groups provided:

account; authentication; password; session

Cryptographically sensitive:

Security rating:

Clean code base:

clean.

System dependencies:

Network aware:

Overview of module

This module can be used to deny access. It always indicates a failure to the application through the PAM framework. As is commented in the overview section above, this module might be suitable for using for default (the OTHER) entries.

Account component

Recognized arguments:

Description:

This component does nothing other than return a failure. The failure type is PAM_ACCT_EXPIRED.

Examples/suggested usage:

Stacking this module with type account will prevent the user from gaining access to the system via applications that refer to Linux-PAM's account management function pam_acct_mgmt().

The following example would make it impossible to login:


#
# add this line to your other login entries to disable all accounts
#
login   account  required       pam_deny.so

Authentication component

Recognized arguments:

Description:

This component does nothing other than return a failure. The failure type is PAM_AUTH_ERR in the case that pam_authenticate() is called (when the application tries to authenticate the user), and is PAM_CRED_UNAVAIL when the application calls pam_setcred() (to establish and set the credentials of the user -- it is unlikely that this function will ever be called in practice).

Examples/suggested usage:

To deny access to default applications with this component of the pam_deny module, you might include the following line in your Linux-PAM configuration file:


#
# add this line to your existing OTHER entries to prevent authentication
# succeeding with default applications.
#
OTHER   auth     required       pam_deny.so

Password component

Recognized arguments:

Description:

This component of the module denies the user the opportunity to change their password. It always responds with PAM_AUTHTOK_ERR when invoked.

Examples/suggested usage:

This module should be used to prevent an application from updating the applicant user's password. For example, to prevent login from automatically prompting for a new password when the old one has expired you should include the following line in your configuration file:


#
# add this line to your other login entries to prevent the login
# application from being able to change the user's password.
#
login   password required       pam_deny.so

Session component

Recognized arguments:

Description:

This aspect of the module prevents an application from starting a session on the host computer.

Examples/suggested usage:

Together with another session module, that displays a message of the day perhaps (XXX - such a module needs to be written), this module can be used to block a user from starting a shell. Given the presence of a pam_motd module, we might use the following entries in the configuration file to inform the user it is system time:


#
# An example to see how to configure login to refuse the user a
# session (politely)
#
login   session  required       pam_motd.so \
                        file=/etc/system_time
login   session  required       pam_deny.so

Previous Next Contents