Disable User Account Login
PAM can specifically deny a user authentication activities based on Username, UID, or Group. This section guides you on how to ban users from login against specific login channels.
Disabling Root
Disabling Root
To disable root from login easily, one can easily add the following:
# Disable root login
auth required pam_succeed_if.so user != root quiet_success
into many login PAM script like (/etc/pam.d/login
, /etc/pam.d/sshd
, /etc/pam.d/sddm
, etc.) except /etc/pam.d/common-auth
or /etc/pam.d/su
.
IMPORTANT NOTE
- Adding the above statement into
/etc/pam.d/common-auth
and/etc/pam.d/su
will lock root account inside out and user can no longer performsu -
command anymore. Without a proper recovery disc orsudo
accounts setup, it is impossible to recover the access back.
Here is an example in /etc/pam.d/login
and /etc/pam.d/sshd
:
# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so
# Disable root login
auth required pam_succeed_if.so user != root quiet_success
Disabling Users
Disabling Users
To disable users, simple lock the user up. PAM will perform the authentications accordingly.
That's all for disabling user in PAM script.