LinuxCommandLibrary

pam_nologin

Prevent user logins based on /etc/nologin

SYNOPSIS

auth [control-flags] pam_nologin.so

DESCRIPTION

The pam_nologin PAM module prevents users from logging in if the /etc/nologin file exists. If the file exists, only users with a UID less than LOGIN_UID_MAX (defined in /etc/login.defs) and members of groups listed in /etc/nologin.d are permitted to log in. This is commonly used during system maintenance to prevent normal users from logging in and potentially interfering with administrative tasks.

When a user attempts to log in and /etc/nologin exists, pam_nologin displays the contents of the file to the user and denies access. This provides a mechanism for informing users why they are unable to log in. The module is typically used in the auth section of the PAM configuration, ensuring that the check occurs early in the authentication process.

CAVEATS

The /etc/nologin file must be readable by all users for the message to be displayed correctly. Ensure proper permissions are set. This module does not offer any configurable parameters.

USAGE

To use this module, add a line similar to the synopsis to the PAM configuration file for the service you wish to protect (e.g., /etc/pam.d/login or /etc/pam.d/sshd). The control-flags (e.g., required, requisite, optional, sufficient) determine how the module's success or failure affects the overall authentication process.

EXAMPLE CONFIGURATION

A typical entry in /etc/pam.d/login might look like:
auth required pam_nologin.so
This ensures that pam_nologin is always checked during the authentication process. If /etc/nologin exists, logins will be denied as described above.

SEE ALSO

login(1), shutdown(8)

Copied to clipboard