pam_deny

pam_deny is a PAM module, not a standalone command. It is invoked within PAM configuration files, typically located in /etc/pam.d/.

The general syntax for including a PAM module in a configuration file line is:

module-interface control-flag pam_deny.so [module-arguments]

Example usage in a PAM configuration file:

auth    requisite   pam_deny.so
account required    pam_deny.so

Here, module-interface refers to the PAM management group (e.g., auth, account), and control-flag determines the module's behavior within the PAM stack (e.g., requisite, required, sufficient, optional). pam_deny.so is the module library. No module-specific arguments are typically used with pam_deny.so.

module-interface
    The PAM management group to which this module applies, such as auth (authentication), account (account management), password (password changes), or session (session management).

control-flag
    Determines the module's impact on the overall success or failure of the PAM transaction. Common flags include requisite (failure aborts immediately), required (failure eventually denies but stack continues), sufficient (success returns immediately if no prior required failure), and optional (success/failure not critical).

module-arguments
    Arguments specific to the PAM module. pam_deny.so does not accept any specific arguments. Any arguments listed after pam_deny.so on the configuration line would be ignored by this particular module.

The pam_deny module is a core component of the Pluggable Authentication Modules (PAM) framework in Linux. Unlike typical authentication modules that verify user credentials, pam_deny serves a singular, explicit purpose: to unconditionally deny any authentication, account, password, or session management request it processes. It is designed to always fail, regardless of user input or system state.

This module is not a standalone command but rather a shared library (pam_deny.so) loaded and invoked by the PAM system based on configurations in files like /etc/pam.d/service_name. Its primary use cases include:

1. Hardening a Service: Placing pam_deny.so with a requisite control flag at the beginning of a PAM stack can effectively disable access to a specific service.
2. Default Deny: As a final module in a stack, ensuring that if all preceding modules permit access, a denial is issued instead.
3. Explicit Denial: In complex PAM configurations, it can be used to ensure that certain conditions or specific users are always denied access, overriding other potential grants.

Due to its absolute denial behavior, pam_deny must be used with extreme caution within PAM configuration files to avoid unintentionally locking out legitimate users or administrators from critical services.

Using pam_deny incorrectly can lead to severe access issues, potentially locking users, including administrators, out of services or even the entire system. It should always be placed carefully within the PAM stack, considering the order of modules and their control flags. For instance, placing it too early with a requisite flag might deny all access, regardless of subsequent modules.

The primary security implication of pam_deny is its ability to enforce a 'default deny' or 'explicit deny' policy. This is a critical security principle, ensuring that access is only granted when explicitly allowed by other modules in the PAM stack. It can be used to permanently disable specific login methods or to create highly restrictive access policies for sensitive services.

pam_deny is a foundational PAM module that has been part of the Linux PAM (Pluggable Authentication Modules) suite since its early development. The PAM framework itself was developed to provide a flexible and modular authentication mechanism, abstracting authentication details from applications. Modules like pam_deny.so (and its counterpart pam_permit.so) represent the most basic building blocks for defining access policies, making them essential components from the inception of PAM.

pam(8), pam.d(5), pam_permit(8), pam_unix(8)