Using pam deny.so to Quickly Deny Access to a Service
In order to deny access to a service SVCNAME via PAM, edit the file /etc/pam.d/SVCNAME . Prepend this line to the beginning of the file:
auth requisite pam_deny.so
Under most circumstances, there are better ways to disable a service than to deny access via PAM. However, this should suffice as a way to quickly make a service unavailable to future users (existing sessions which have already been authenticated, are not affected). The requisite tag tells PAM that, if the named module returns failure, authentication should fail, and PAM should immediately stop processing the configuration file. The pam deny.so module always returns failure regardless of its input.
Advantages of PAM
Pluggable Authentication Modules (PAM) is a way of allowing the system administrator to set an authentication policy without having to recompile authentication programs. With PAM, you control how particular authentication modules are plugged into a program by editing that program’s PAM configuration file in /etc/pam.d
When used correctly, PAM provides many advantages for a system administrator, such as the following:
*A common authentication scheme that can be used with a wide variety of applications.
*PAM can be implemented with various applications without having to recompile the applications to specifically support PAM.
*Great flexibility and control over authentication for the administrator and application developer.
*Application developers do not need to develop their program to use a particular authentication scheme. Instead, they can focus purely on the details of their program.
Disabling Root Using PAM
PAM, through the /lib/security/pam_listfile.so module, allows great flexibility in denying specific accounts.
This allows the administrator to point the module at a list of users who are not allowed to log in.
Below is an example of how the module is used for the vsftpd FTP server in the /etc/pam.d/vsftpd PAM configuration file (the \ character at the end of the first line in the following example is not necessary if the directive is on one line):
auth required /lib/security/pam_listfile.so item=user \ sense=deny file=/etc/vsftpd.ftpus
This tells PAM to consult the file /etc/vsftpd.ftpusers and deny access to the service for any user listed. The administrator is free to change the name of this file, and can keep separate lists for each service or use one central list to deny access to multiple services.
