PAM Lockout Module 0.1 reviewDownload
PAM Lockout Module is a PAM module is used to lockout users or groups from access to the machine
PAM Lockout Module is a PAM module is used to lockout users or groups from access to the machine. The module only supports authentication queries and the command line arguments are used to pass the users and groups.
A sample usage is for locking root out from remote access.
--------------- /etc/pam.d/sshd ---------
auth requisite /lib/security/pam_lockout.so user=root
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
The arguments to the module are in the form of 'user=' or 'group='. There MUST NOT be any spaces in the arguments for the module to work.
I placed the module at the head of the stack to prevent other PAM modules from being accessed by the locked out users. In order for the user or group lockout to work the username or group name should be available via the getpwnam(3) or getgrnam(3) functions.
User comarisions are done using the pw_uid field in the passwd structure. So any user with and id of zero would be locked out in the above example. Group comparisions are done via string compares of the inbound user and the names returned by getgrnam(3).
PAM Lockout Module 0.1 search tags