Disable User Account Login

PAM can specifically deny a user authentication activities based on Username, UID, or Group. This section guides you on how to ban users from login against specific login channels.

Disabling Root

Disabling Users

Disabling Root

To disable root from login easily, one can easily add the following:

# Disable root login

auth       required   pam_succeed_if.so user != root quiet_success

into many login PAM script like (/etc/pam.d/login, /etc/pam.d/sshd, /etc/pam.d/sddm, etc.) except /etc/pam.d/common-auth or /etc/pam.d/su.

IMPORTANT NOTE

Adding the above statement into /etc/pam.d/common-auth and /etc/pam.d/su will lock root account inside out and user can no longer perform su - command anymore. Without a proper recovery disc or sudo accounts setup, it is impossible to recover the access back.

Here is an example in /etc/pam.d/login and /etc/pam.d/sshd:

# Disallows other than root logins when /etc/nologin exists

# (Replaces the `NOLOGINS_FILE' option from login.defs)

auth       requisite  pam_nologin.so

# Disable root login

auth       required   pam_succeed_if.so user != root quiet_success

Disabling Users

To disable users, simple lock the user up. PAM will perform the authentications accordingly.

That's all for disabling user in PAM script.

Back to PAM