pam_nologin

pam_nologin.so [debug] [file=/path/filename]

debug
    Log debug information via syslog

file=/path/filename
    Specify alternative file instead of /etc/nologin

The pam_nologin module is part of the Pluggable Authentication Modules (PAM) framework in Linux systems. It checks for the existence of the /etc/nologin file during login attempts. If the file exists and the user is not root (or lacks CAP_SYS_ADMIN capability), access is denied with a message from the file or a default notice. This mechanism is commonly used by administrators to temporarily restrict interactive logins to superusers during maintenance, shutdowns, or high-load situations.

Typically stacked in the session management phase of PAM configuration files like /etc/pam.d/login, /etc/pam.d/sshd, or /etc/pam.d/su, it provides a simple, non-intrusive way to enforce login restrictions without rebooting or complex scripting. Non-interactive sessions (e.g., cron jobs) are usually unaffected if configured properly. The module logs denial events via syslog for auditing.

To activate, create or touch /etc/nologin with an optional message. Remove the file to restore normal access. It integrates seamlessly with other PAM modules and supports custom nologin file paths.

Only affects new login sessions; existing sessions continue unaffected. Non-interactive services (e.g., cron) may bypass if not using PAM session stack. Requires proper stacking in PAM configs; ineffective alone.

Add to /etc/pam.d/login:
session required pam_nologin.so
Then: touch /etc/nologin to activate.

/etc/nologin contents display as denial message; empty file uses default "System not bootable" notice.

Developed as part of Linux-PAM project; first appeared around PAM 0.69 (late 1990s), stabilized in modern distributions like RHEL and Debian.

pam(8), login(1), sshd(8), su(1)