As an example, we will configure how to use PAM to disable root user access to a system via SSH and login programs.

Here, we want to disable root user access to a system, by restricting access to login and sshd services.

We can use the /lib/security/pam_listfile.so module which offers great flexibility in limiting the privileges of specific accounts.

Open and edit the file for the target service in the /etc/pam.d/ directory as shown.

sudo vim /etc/pam.d/sshd

or

sudo vim /etc/pam.d/login

Add this rule in both files.

auth    required       pam_listfile.so \
        onerr=succeed  item=user  sense=deny  file=/etc/ssh/deniedusers

• auth: is the module type (or context).
• required: is a control-flag that means if the module is used, it must pass or the overall result will be fail, regardless of the status of other modules.
• pam_listfile.so: is a module which provides a way to deny or allow services based on an arbitrary file.
• onerr=succeed: module argument.
• item=user: module argument which specifies what is listed in the file and should be checked for.
• sense=deny: module argument which specifies action to take if found in file, if the item is NOT found in the file, then the opposite action is requested.
• file=/etc/ssh/deniedusers: module argument which specifies file containing one item per line.

Create the file /etc/ssh/deniedusers and add the name root in it:

sudo vim /etc/ssh/deniedusers

Save the changes and close the file.

sudo chmod 600 /etc/ssh/deniedusers

From now on, the above rule will tell PAM to consult the /etc/ssh/deniedusers file and deny access to the SSH and login services for any listed user.