Random Musings

Sporadic thoughts on tech, economics, business, finance and trading

pam_nologin.so & /etc/nologin

,

A systems administrator is tasked with preventing logins from accounts other than root, while the file /etc/nologin exists. Which of the following PAM modules will accomplish this task? A. pam_login.so B. pam_access.so C. pam_logindef.so D. pam_nologin.so

The correct answer is:

D. pam_nologin.so

Explanation:

The pam_nologin.so module is specifically designed to prevent non-root users from logging in if the /etc/nologin file exists. This is commonly used during system maintenance to restrict user access temporarily while still allowing root access.

Why not the others?

  • A. pam_login.so: This is not a standard PAM module and does not exist in typical PAM configurations.
  • B. pam_access.so: This module controls access based on user, group, and host rules defined in /etc/security/access.conf. It doesn’t rely on /etc/nologin.
  • C. pam_logindef.so: This module does not exist. It may be a distractor.

Thus, D. pam_nologin.so is the correct choice.

So, do we just copy pam_nologin.so to /etc/nolog?

No, you do not copy pam_nologin.so to /etc/nologin. Here’s how it works:

  • The pam_nologin module is a PAM (Pluggable Authentication Module) that checks for the existence of the /etc/nologin file. When the /etc/nologin file is present, it prevents non-root users from logging in.

Steps to use pam_nologin:

  1. Enable the PAM module:
  • Ensure that the pam_nologin module is included in the PAM configuration for the relevant service (e.g., SSH, login).
  • This can typically be found in the file /etc/pam.d/common-auth or a service-specific PAM configuration file like /etc/pam.d/sshd or /etc/pam.d/login. Example entry in a PAM configuration file:
   auth requisite pam_nologin.so
  1. Create the /etc/nologin file:
  • To activate the restriction, create the /etc/nologin file with a message that will be displayed to users who are denied access.
  • Example:
    bash echo "System maintenance in progress. Only root can log in." > /etc/nologin
  1. Test the configuration:
  • Attempt to log in as a non-root user to ensure that access is denied with the message in /etc/nologin.
  1. Remove the /etc/nologin file:
  • When the restriction is no longer needed, simply delete the file:
    bash rm /etc/nologin

Key Points:

  • The pam_nologin.so module is not copied or moved; it resides in the system library directory (usually /lib/security or /lib64/security).
  • The presence of /etc/nologin triggers the module to deny logins for all users except root.