pam_nologin
Prevent user logins based on /etc/nologin
SYNOPSIS
auth [control-flags] pam_nologin.so
DESCRIPTION
The pam_nologin
PAM module prevents users from logging in if the /etc/nologin
file exists. If the file exists, only users with a UID less than LOGIN_UID_MAX
(defined in /etc/login.defs
) and members of groups listed in /etc/nologin.d
are permitted to log in. This is commonly used during system maintenance to prevent normal users from logging in and potentially interfering with administrative tasks.
When a user attempts to log in and /etc/nologin
exists, pam_nologin
displays the contents of the file to the user and denies access. This provides a mechanism for informing users why they are unable to log in. The module is typically used in the auth
section of the PAM configuration, ensuring that the check occurs early in the authentication process.
CAVEATS
The /etc/nologin
file must be readable by all users for the message to be displayed correctly. Ensure proper permissions are set. This module does not offer any configurable parameters.
USAGE
To use this module, add a line similar to the synopsis to the PAM configuration file for the service you wish to protect (e.g., /etc/pam.d/login
or /etc/pam.d/sshd
). The control-flags (e.g., required
, requisite
, optional
, sufficient
) determine how the module's success or failure affects the overall authentication process.
EXAMPLE CONFIGURATION
A typical entry in /etc/pam.d/login
might look like: auth required pam_nologin.so
This ensures that pam_nologin
is always checked during the authentication process. If /etc/nologin
exists, logins will be denied as described above.