pam_prohibit Module
Purpose
Returns a value denoting a failure for each PAM module type.
Description
The pam_prohibit
module returns a failure for all PAM module types. If used as a required
or requisite module for a service, the stack that this module is incorporated
into will always fail. It is recommended that individual services
be explicitely configured in /etc/pam.conf and then the pam_prohibit
module used for the OTHER service entries. Configuring the system
in this way ensures that only known PAM enabled applications are capable
of successfully authenticating users. Listed below is an example of
how to configure the OTHER service keyword in /etc/pam.conf to use
the pam_prohibit module:
#
# Fail for all PAM services not explicitely configured
#
OTHER auth required /usr/lib/security/pam_prohibit
OTHER account required /usr/lib/security/pam_prohibit
OTHER password required /usr/lib/security/pam_prohibit
OTHER session required /usr/lib/security/pam_prohibit
Functionality opposite to that provided by pam_prohibit can be obtained by using the pam_allow module.
Supported PAM module types
- Authentication
- pam_sm_authenticate returns PAM_AUTH_ERR pam_sm_setcred returns PAM_CRED_ERR
- Account Management
- pam_sm_acct_mgmt returns PAM_ACCT_EXPIRED
- Session Management
- pam_sm_open_session returns PAM_SESSION_ERR
- Password Management
- pam_sm_chauthtok returns PAM_AUTHTOK_ERR
Options
The pam_prohibit module accepts the following parameters
specified as options in the PAM configuration file:
| Item | Description |
|---|---|
| debug | Log debugging information to syslog. |
| nowarn | Do not display warning messages. |
Return Values
The pam_prohibit module will never return PAM_SUCCESS. If an invalid PAM handle is found then PAM_SYSTEM_ERR is returned, otherwise the error code returned is PAM module type specific.
Location
/usr/lib/security/pam_prohibit