THIS IS BETA SOFTWARE
I have given this module some amount of testing, but software bugs may still exists. The module is small, almost trivial and I have preformed a lite amount of checking. Feedback is appreiciated and my address can be found in the README file distributed with the code.
This PAM module is used to lockout users or groups from access to the machine. The module only supports authentication queries and the command line arguments are used to pass the users and groups.
A sample usage is for locking root out from remote access.
--------------- /etc/pam.d/sshd --------- #%PAM-1.0 auth requisite /lib/security/pam_lockout.so user=root auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth -----------------------------------------
The arguments to the module are in the form of 'user=
I placed the module at the head of the stack to prevent other PAM modules from being accessed by the locked out users. In order for the user or group lockout to work the username or group name should be available via the getpwnam(3) or getgrnam(3) functions.
User comarisions are done using the pw_uid field in the passwd structure. So any user with and id of zero would be locked out in the above example. Group comparisions are done via string compares of the inbound user and the names returned by getgrnam(3).
Version 0.1 - 2004-03-16
Minor modifications to the information sent to syslog. The logs should now include the reason the user was locked out.