Embedded Files
PAM can specifically deny a user authentication activities based on Username, UID, or Group. This section guides you on how to ban users from login against specific login channels.
Disabling Root
Disabling Root
To disable root from login easily, one can easily add the following:
# Disable root loginauth required pam_succeed_if.so user != root quiet_successinto many login PAM script like (/etc/pam.d/login, /etc/pam.d/sshd, /etc/pam.d/sddm, etc.) except /etc/pam.d/common-auth or /etc/pam.d/su.
IMPORTANT NOTE
- Adding the above statement into
/etc/pam.d/common-authand/etc/pam.d/suwill lock root account inside out and user can no longer performsu -command anymore. Without a proper recovery disc orsudoaccounts setup, it is impossible to recover the access back.
Here is an example in /etc/pam.d/login and /etc/pam.d/sshd:
# Disallows other than root logins when /etc/nologin exists# (Replaces the `NOLOGINS_FILE' option from login.defs)auth requisite pam_nologin.so# Disable root loginauth required pam_succeed_if.so user != root quiet_successDisabling Users
Disabling Users
To disable users, simple lock the user up. PAM will perform the authentications accordingly.
That's all for disabling user in PAM script.
Page updated
Google Sites
Report abuse