====== Ubuntu - PAM - Restrict root Access to SSH Service ======
As an example, we will configure how to use PAM to disable root user access to a system via SSH and login programs.
Here, we want to disable root user access to a system, by restricting access to login and sshd services.
We can use the **/lib/security/pam_listfile.so** module which offers great flexibility in limiting the privileges of specific accounts.
----
===== Configure a PAM config file for the service to be restricted =====
Open and edit the file for the target service in the **/etc/pam.d/** directory as shown.
sudo vim /etc/pam.d/sshd
or
sudo vim /etc/pam.d/login
----
===== Add PAM rule =====
Add this rule in both files.
auth required pam_listfile.so \
onerr=succeed item=user sense=deny file=/etc/ssh/deniedusers
* **auth:** is the module type (or context).
* **required:** is a control-flag that means if the module is used, it must pass or the overall result will be fail, regardless of the status of other modules.
* **pam_listfile.so:** is a module which provides a way to deny or allow services based on an arbitrary file.
* **onerr=succeed:** module argument.
* **item=user:** module argument which specifies what is listed in the file and should be checked for.
* **sense=deny:** module argument which specifies action to take if found in file, if the item is NOT found in the file, then the opposite action is requested.
* **file=/etc/ssh/deniedusers:** module argument which specifies file containing one item per line.
----
===== Create denied users file =====
Create the file /etc/ssh/deniedusers and add the name root in it:
sudo vim /etc/ssh/deniedusers
Save the changes and close the file.
----
===== Set the required permissions on the denied users file =====
sudo chmod 600 /etc/ssh/deniedusers
----
From now on, the above rule will tell PAM to consult the **/etc/ssh/deniedusers** file and deny access to the SSH and login services for any listed user.