4 This file was written by Andrew G. Morgan <morgan@kernel.org>
7 <sect1>The locking-out module
14 <tag><bf>Module Name:</bf></tag>
17 <tag><bf>Author:</bf></tag>
18 Andrew G. Morgan <morgan@kernel.org>
20 <tag><bf>Maintainer:</bf></tag>
21 current <bf/Linux-PAM/ maintainer
23 <tag><bf>Management groups provided:</bf></tag>
24 account; authentication; password; session
26 <tag><bf>Cryptographically sensitive:</bf></tag>
28 <tag><bf>Security rating:</bf></tag>
30 <tag><bf>Clean code base:</bf></tag>
33 <tag><bf>System dependencies:</bf></tag>
35 <tag><bf>Network aware:</bf></tag>
39 <sect2>Overview of module
42 This module can be used to deny access. It always indicates a failure
43 to the application through the PAM framework. As is commented in the
44 overview section <ref id="overview-section" name="above">, this module
45 might be suitable for using for default (the <tt/OTHER/) entries.
47 <sect2>Account component
52 <tag><bf>Recognized arguments:</bf></tag>
54 <tag><bf>Description:</bf></tag>
56 This component does nothing other than return a failure. The
57 failure type is <tt/PAM_ACCT_EXPIRED/.
59 <tag><bf>Examples/suggested usage:</bf></tag>
61 Stacking this module with type <tt/account/ will prevent the user from
62 gaining access to the system via applications that refer to
63 <bf/Linux-PAM/'s account management function <tt/pam_acct_mgmt()/.
66 The following example would make it impossible to login:
70 # add this line to your other login entries to disable all accounts
72 login account required pam_deny.so
78 <sect2>Authentication component
83 <tag><bf>Recognized arguments:</bf></tag>
85 <tag><bf>Description:</bf></tag>
87 This component does nothing other than return a failure. The failure
88 type is <tt/PAM_AUTH_ERR/ in the case that <tt/pam_authenticate()/ is
89 called (when the application tries to authenticate the user), and is
90 <tt/PAM_CRED_UNAVAIL/ when the application calls <tt/pam_setcred()/
91 (to establish and set the credentials of the user -- it is unlikely
92 that this function will ever be called in practice).
94 <tag><bf>Examples/suggested usage:</bf></tag>
96 To deny access to default applications with this component of the
97 <tt/pam_deny/ module, you might include the following line in your
98 <bf/Linux-PAM/ configuration file:
102 # add this line to your existing OTHER entries to prevent
103 # authentication succeeding with default applications.
105 OTHER auth required pam_deny.so
111 <sect2>Password component
116 <tag><bf>Recognized arguments:</bf></tag>
118 <tag><bf>Description:</bf></tag>
120 This component of the module denies the user the opportunity to change
121 their password. It always responds with <tt/PAM_AUTHTOK_ERR/ when
124 <tag><bf>Examples/suggested usage:</bf></tag>
126 This module should be used to prevent an application from updating the
127 applicant user's password. For example, to prevent <tt/login/ from
128 automatically prompting for a new password when the old one has
129 expired you should include the following line in your configuration
134 # add this line to your other login entries to prevent the login
135 # application from being able to change the user's password.
137 login password required pam_deny.so
143 <sect2>Session component
148 <tag><bf>Recognized arguments:</bf></tag>
150 <tag><bf>Description:</bf></tag>
152 This aspect of the module prevents an application from starting a
153 session on the host computer.
155 <tag><bf>Examples/suggested usage:</bf></tag>
157 Together with another session module, that displays a message of the
158 day perhaps (<tt/pam_motd/ for example), this module can be used to
159 block a user from starting a shell. We might use the following entries
160 in the configuration file to inform the user it is system time:
164 # An example to see how to configure login to refuse the user a
167 login session required pam_motd.so \
168 motd=/etc/system_time
169 login session required pam_deny.so
176 End of sgml insert for this module.