PAM can specifically deny a user authentication activities based on Username, UID, or Group. This section guides you on how to ban users from login against specific login channels.
To disable root from login easily, one can easily add the following:
# Disable root login
auth required pam_succeed_if.so user != root quiet_success
into many login PAM script like (/etc/pam.d/login
, /etc/pam.d/sshd
, /etc/pam.d/sddm
, etc.) except /etc/pam.d/common-auth
or /etc/pam.d/su
.
IMPORTANT NOTE
/etc/pam.d/common-auth
and /etc/pam.d/su
will lock root account inside out and user can no longer perform su -
command anymore. Without a proper recovery disc or sudo
accounts setup, it is impossible to recover the access back.Here is an example in /etc/pam.d/login
and /etc/pam.d/sshd
:
# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so
# Disable root login
auth required pam_succeed_if.so user != root quiet_success
To disable users, simple lock the user up. PAM will perform the authentications accordingly.
That's all for disabling user in PAM script.