pam_prohibit Module

Purpose

Returns a value denoting a failure for each PAM module type.

Description

The pam_prohibit module returns a failure for all PAM module types. If used as a required or requisite module for a service, the stack that this module is incorporated into will always fail. It is recommended that individual services be explicitely configured in /etc/pam.conf and then the pam_prohibit module used for the OTHER service entries. Configuring the system in this way ensures that only known PAM enabled applications are capable of successfully authenticating users. Listed below is an example of how to configure the OTHER service keyword in /etc/pam.conf to use the pam_prohibit module:
#
# Fail for all PAM services not explicitely configured
#
OTHER auth     required /usr/lib/security/pam_prohibit
OTHER account  required /usr/lib/security/pam_prohibit
OTHER password required /usr/lib/security/pam_prohibit
OTHER session  required /usr/lib/security/pam_prohibit

Functionality opposite to that provided by pam_prohibit can be obtained by using the pam_allow module.

Supported PAM module types

Authentication
pam_sm_authenticate returns PAM_AUTH_ERR pam_sm_setcred returns PAM_CRED_ERR
Account Management
pam_sm_acct_mgmt returns PAM_ACCT_EXPIRED
Session Management
pam_sm_open_session returns PAM_SESSION_ERR
Password Management
pam_sm_chauthtok returns PAM_AUTHTOK_ERR

Options

The pam_prohibit module accepts the following parameters specified as options in the PAM configuration file:
Item Description
debug Log debugging information to syslog.
nowarn Do not display warning messages.

Return Values

The pam_prohibit module will never return PAM_SUCCESS. If an invalid PAM handle is found then PAM_SYSTEM_ERR is returned, otherwise the error code returned is PAM module type specific.

Location

/usr/lib/security/pam_prohibit