summaryrefslogtreecommitdiff
path: root/doc/modules/pam_deny.sgml
blob: 7d9df7e7bd9f512505b759e1dbb9afd47316901a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
<!--
   $Id$
   
   This file was written by Andrew G. Morgan <morgan@kernel.org>
-->

<sect1>The locking-out module

<sect2>Synopsis

<p>
<descrip>

<tag><bf>Module Name:</bf></tag>
pam_deny

<tag><bf>Author:</bf></tag>
Andrew G. Morgan &lt;morgan@kernel.org&gt;

<tag><bf>Maintainer:</bf></tag>
current <bf/Linux-PAM/ maintainer

<tag><bf>Management groups provided:</bf></tag>
account; authentication; password; session

<tag><bf>Cryptographically sensitive:</bf></tag>

<tag><bf>Security rating:</bf></tag>

<tag><bf>Clean code base:</bf></tag>
clean.

<tag><bf>System dependencies:</bf></tag>

<tag><bf>Network aware:</bf></tag>

</descrip>

<sect2>Overview of module

<p>
This module can be used to deny access. It always indicates a failure
to the application through the PAM framework. As is commented in the
overview section <ref id="overview-section" name="above">, this module
might be suitable for using for default (the <tt/OTHER/) entries.

<sect2>Account component

<p>
<descrip>

<tag><bf>Recognized arguments:</bf></tag>

<tag><bf>Description:</bf></tag>

This component does nothing other than return a failure. The
failure type is <tt/PAM_ACCT_EXPIRED/.

<tag><bf>Examples/suggested usage:</bf></tag>

Stacking this module with type <tt/account/ will prevent the user from
gaining access to the system via applications that refer to
<bf/Linux-PAM/'s account management function <tt/pam_acct_mgmt()/.

<p>
The following example would make it impossible to login:
<tscreen>
<verb>
#
# add this line to your other login entries to disable all accounts
#
login	account	 required	pam_deny.so
</verb>
</tscreen>

</descrip>

<sect2>Authentication component

<p>
<descrip>

<tag><bf>Recognized arguments:</bf></tag>

<tag><bf>Description:</bf></tag>

This component does nothing other than return a failure. The failure
type is <tt/PAM_AUTH_ERR/ in the case that <tt/pam_authenticate()/ is
called (when the application tries to authenticate the user), and is
<tt/PAM_CRED_UNAVAIL/ when the application calls <tt/pam_setcred()/
(to establish and set the credentials of the user -- it is unlikely
that this function will ever be called in practice).

<tag><bf>Examples/suggested usage:</bf></tag>

To deny access to default applications with this component of the
<tt/pam_deny/ module, you might include the following line in your
<bf/Linux-PAM/ configuration file:
<tscreen>
<verb>
#
# add this line to your existing OTHER entries to prevent
# authentication succeeding with default applications.
#
OTHER	auth	 required	pam_deny.so
</verb>
</tscreen>

</descrip>

<sect2>Password component

<p>
<descrip>

<tag><bf>Recognized arguments:</bf></tag>

<tag><bf>Description:</bf></tag>

This component of the module denies the user the opportunity to change
their password. It always responds with <tt/PAM_AUTHTOK_ERR/ when
invoked.

<tag><bf>Examples/suggested usage:</bf></tag>

This module should be used to prevent an application from updating the
applicant user's password. For example, to prevent <tt/login/ from
automatically prompting for a new password when the old one has
expired you should include the following line in your configuration
file:
<tscreen>
<verb>
#
# add this line to your other login entries to prevent the login
# application from being able to change the user's password.
#
login	password required	pam_deny.so
</verb>
</tscreen>

</descrip>

<sect2>Session component

<p>
<descrip>

<tag><bf>Recognized arguments:</bf></tag>

<tag><bf>Description:</bf></tag>

This aspect of the module prevents an application from starting a
session on the host computer.

<tag><bf>Examples/suggested usage:</bf></tag>

Together with another session module, that displays a message of the
day perhaps (XXX - such a module needs to be written),
this module can be used to block a user from starting a shell. Given
the presence of a <tt/pam_motd/ module, we might use the following
entries in the configuration file to inform the user it is system
time:
<tscreen>
<verb>
#
# An example to see how to configure login to refuse the user a
# session (politely)
#
login	session	 required	pam_motd.so \
			file=/etc/system_time
login	session	 required	pam_deny.so
</verb>
</tscreen>

</descrip>

<!--
End of sgml insert for this module.
-->