pam_ckfile Module

Purpose

Denies all non-root user logins if /etc/nologin or an optionally specified file is present.

Description

The pam_ckfile module allows or denies authentication, based on the existence of a file. The file checked for existence can be set with the file=<filename> module option. If not specified the file defaults to /etc/nologin.

If the specified file exists, only root users (those with a user ID of 0) may authenticate. All other users are denied access for the service, and pam_ckfile will echo the contents (if any) of that file. If the specified file does not exist, the module returns PAM_IGNORE. System administrators should ensure that success or failure of the module stack for a service does not depend solely on the result of this module.

It is recommended that pam_ckfile is used as "required" or "requisite" in conjunction with other modules. An example authentication stack is provided below to demonstrate how /etc/nologin behavior with the login service can be implemented.

#
# Provide the standard /etc/nologin behavior for login.
#
login auth required   /usr/lib/security/pam_ckfile file=/etc/nologin
login auth required   /usr/lib/security/pam_aix

Supported PAM module types

Authentication: Denies non-root user authentication if the specified file is present.
Account Management: Denies account access for non-root users if the specified file is present.

Options

The pam_allowroot module accepts the following parameters specified as options in the PAM configuration file:

Item	Description
debug	Log debugging information to syslog.
nowarn	Do not display warning messages.
file=<filename>	Use <filename> instead of /etc/nologin. Note: <filename> must be the full path to the file.

Return Values

Upon successful completion PAM_SUCCESS is returned. If the specified file does not exist the module returns PAM_IGNORE. If another failure occurs, a PAM error code will be returned, depending on the actual error.

Location

/usr/lib/security/pam_ckfile