summaryrefslogtreecommitdiff
path: root/doc/modules/pam_nologin.sgml
blob: 52cf02a5b4903171e88b57b56bf4ad87caabcb57 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
<!--
   $Id$
   
   This file was written by Michael K. Johnson <johnsonm@redhat.com>
-->

<sect1>The no-login module

<sect2>Synopsis

<p>
<descrip>

<tag><bf>Module Name:</bf></tag>
<tt/pam_nologin/

<tag><bf>Author:</bf></tag>
Written by Michael K. Johnson &lt;johnsonm@redhat.com&gt;<newline>

<tag><bf>Maintainer:</bf></tag>

<tag><bf>Management groups provided:</bf></tag>
account; authentication

<tag><bf>Cryptographically sensitive:</bf></tag>
	
<tag><bf>Security rating:</bf></tag>

<tag><bf>Clean code base:</bf></tag>

<tag><bf>System dependencies:</bf></tag>

<tag><bf>Network aware:</bf></tag>

</descrip>

<sect2>Overview of module

<p>
Provides standard Unix <em/nologin/ authentication.

<sect2>Authentication component

<p>
<descrip>

<tag><bf>Recognized arguments:</bf></tag>
successok, file=&lt;<em/filename/&gt;

<tag><bf>Description:</bf></tag>

Provides standard Unix <em/nologin/ authentication.  If the file
<tt>/etc/nologin</tt> exists, only root is allowed to log in; other
users are turned away with an error message (and the module returns
<tt/PAM_AUTH_ERR/ or <tt/PAM_USER_UNKNOWN/).  All users (root or
otherwise) are shown the contents of <tt>/etc/nologin</tt>.

<p>
If the file <tt>/etc/nologin</tt> does not exist, this module defaults
to returning <tt/PAM_IGNORE/, but the <tt/successok/ module argument
causes it to return <tt/PAM_SUCCESS/ in this case.

<p>
The administrator can override the default nologin file with the
<tt/file=/<em/pathname/ module argument.

<tag><bf>Examples/suggested usage:</bf></tag>

In order to make this module effective, all login methods should be
secured by it.  It should be used as a <tt>required</tt> method listed
before any <tt>sufficient</tt> methods in order to get standard Unix
nologin semantics. Note, the use of <tt/successok/ module argument
causes the module to return <tt/PAM_SUCCESS/ and as such would break
such a configuration - failing <tt/sufficient/ modules would lead to a
successful login because the nologin module <em/succeeded/.

</descrip>

<!--
End of sgml insert for this module.
-->