The locking-out module Synopsis

Module Name: pam_deny Author: Andrew G. Morgan <morgan@parc.power.net> Maintainer: current Management groups provided: account; authentication; password; session Cryptographically sensitive: Security rating: Clean code base: clean. System dependencies: Network aware: Overview of module

This module can be used to deny access. It always indicates a failure to the application through the PAM framework. As is commented in the overview section , this module might be suitable for using for default (the Account component

Recognized arguments: Description: This component does nothing other than return a failure. The failure type is Examples/suggested usage: Stacking this module with type The following example would make it impossible to login: # # add this line to your other login entries to disable all accounts # login account required pam_deny.so Authentication component

Recognized arguments: Description: This component does nothing other than return a failure. The failure type is Examples/suggested usage: To deny access to default applications with this component of the # # add this line to your existing OTHER entries to prevent # authentication succeeding with default applications. # OTHER auth required pam_deny.so Password component

Recognized arguments: Description: This component of the module denies the user the opportunity to change their password. It always responds with Examples/suggested usage: This module should be used to prevent an application from updating the applicant user's password. For example, to prevent # # add this line to your other login entries to prevent the login # application from being able to change the user's password. # login password required pam_deny.so Session component

Recognized arguments: Description: This aspect of the module prevents an application from starting a session on the host computer. Examples/suggested usage: Together with another session module, that displays a message of the day perhaps (XXX - such a module needs to be written), this module can be used to block a user from starting a shell. Given the presence of a # # An example to see how to configure login to refuse the user a # session (politely) # login session required pam_motd.so \ file=/etc/system_time login session required pam_deny.so