pam_nologin

auth [control-flags] pam_nologin.so

The pam_nologin PAM module prevents users from logging in if the /etc/nologin file exists. If the file exists, only users with a UID less than LOGIN_UID_MAX (defined in /etc/login.defs) and members of groups listed in /etc/nologin.d are permitted to log in. This is commonly used during system maintenance to prevent normal users from logging in and potentially interfering with administrative tasks.

When a user attempts to log in and /etc/nologin exists, pam_nologin displays the contents of the file to the user and denies access. This provides a mechanism for informing users why they are unable to log in. The module is typically used in the auth section of the PAM configuration, ensuring that the check occurs early in the authentication process.

The /etc/nologin file must be readable by all users for the message to be displayed correctly. Ensure proper permissions are set. This module does not offer any configurable parameters.

To use this module, add a line similar to the synopsis to the PAM configuration file for the service you wish to protect (e.g., /etc/pam.d/login or /etc/pam.d/sshd). The control-flags (e.g., required, requisite, optional, sufficient) determine how the module's success or failure affects the overall authentication process.

A typical entry in /etc/pam.d/login might look like:
auth required pam_nologin.so
This ensures that pam_nologin is always checked during the authentication process. If /etc/nologin exists, logins will be denied as described above.

login(1), shutdown(8)