How to temporarily disable user logins

Sometimes, I want to prevent regular users from logging into the system to perform more complex operations. To achieve that, I am using Pluggable Authentication Modules for Linux to temporarily disable user logins.

Basic usage

Disable user logins without providing a reason.

$ sudo touch /run/nologin

Example of a failed login attempt (as regular user).

$ ssh milosz@remote_server
milosz@remote_server's password: 
Connection closed by remote_server

Disable user logins providing an additional reason.

$ echo "System maintenance in progress" | sudo tee /run/nologin

Example of a failed login attempt (as regular user).

$ ssh milosz@remote_server
milosz@remote_server's password: 
System maintenance in progress

Connection closed by remote_server

Notice that /var/run is a link to /run directory, so I have used shorter version.

Pluggable Authentication Modules configuration

Set of rules that determines behavior of pam_nologin module for the Shadow login service is defined in /etc/pam.d/login Pluggable Authentication Modules configuration file.

By default only root user can login if /run/nologin file exists.

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so

Use pam_succeed_if module once to bypass that restriction for users in the admins group.

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
# ignore rule if user is in admins group
  auth [default=1 success=ignore] pam_succeed_if.so quiet user notingroup admins
  auth requisite  pam_nologin.so

Set of rules that determines behavior of pam_nologin module for the Secure Shell service is defined in /etc/pam.d/sshd Pluggable Authentication Modules configuration file.

By default no one can login over SSH protocol if /run/nologin file exists [assuming that PermitRootLogin SSH configuration directive is not enabled].

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

Use pam_succeed_if module multiple times to bypass that restriction for users in admins group and milosz username.

# Disallow non-root logins when /etc/nologin exists.
account [default=2 success=ignore] pam_succeed_if.so quiet user != milosz
account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup admins
account required pam_nologin.so

You can use user, uid, gid, shell, home, ruser, rhost, tty, service fields to build a condition which consist of three words: field, test and a value to test for.

In above-mentioned examples pam_succeed_if module will skip execution of given number of rules on condition failure. To explain and illustrate this behavior I have prepared the following real world examples based upon previous configuration.

Situation in which user name and group differs. Access will be denied as pam_nologin module is executed.

Sep  7 05:52:11 debian sshd[6728]: pam_succeed_if(sshd:account): 'user' resolves to 'pawel'
Sep  7 05:52:11 debian sshd[6728]: pam_succeed_if(sshd:account): requirement "user != milosz" was met by user "pawel"
Sep  7 05:52:11 debian sshd[6728]: pam_succeed_if(sshd:account): 'user' resolves to 'pawel'
Sep  7 05:52:11 debian sshd[6728]: pam_succeed_if(sshd:account): requirement "user notingroup admins" was met by user "pawel"
Sep  7 05:52:11 debian sshd[6728]: Failed password for pawel from ::1 port 57219 ssh2
Sep  7 05:52:11 debian sshd[6728]: fatal: Access denied for user pawel by PAM account configuration [preauth]

Situation in which user name differs, group matches. Access will be granted as pam_nologin module is not executed.

Sep  7 05:53:31 debian sshd[6740]: pam_succeed_if(sshd:account): 'user' resolves to 'michael'
Sep  7 05:53:31 debian sshd[6740]: pam_succeed_if(sshd:account): requirement "user != milosz" was met by user "michael"
Sep  7 05:53:31 debian sshd[6740]: pam_succeed_if(sshd:account): 'user' resolves to 'michael'
Sep  7 05:53:31 debian sshd[6740]: pam_succeed_if(sshd:account): requirement "user notingroup admins" not met by user "michael"
Sep  7 05:53:31 debian sshd[6740]: Accepted password for michael from ::1 port 57220 ssh2
Sep  7 05:53:31 debian sshd[6740]: pam_unix(sshd:session): session opened for user michael by (uid=0)

Situation in which user name matches. Access will be granted as group condition is not evaluated and pam_nologin module is not executed.

Sep  7 05:54:11 debian sshd[6755]: pam_succeed_if(sshd:account): 'user' resolves to 'milosz'
Sep  7 05:54:11 debian sshd[6755]: pam_succeed_if(sshd:account): requirement "user != milosz" not met by user "milosz"
Sep  7 05:54:11 debian sshd[6755]: Accepted password for milosz from ::1 port 57221 ssh2
Sep  7 05:54:11 debian sshd[6755]: pam_unix(sshd:session): session opened for user milosz by (uid=0)

References

Read pam_nologin and pam_succeed_if manual pages to get detailed information.

Milosz Galazka's Picture

About Milosz Galazka

Milosz is a system administrator working for a successful Polish company and a long time supporter of Free Software Foundation and Debian operating system.

Gdansk, Poland https://sleeplessbeastie.eu