Tuesday, December 20, 2016

Controlling User Access V

Disabling User Login

From time to time, you may need to completely disable all logins to
your Linux system. For example, you have a serious issue that needs to
be resolved and you need to keep everyone out for a period of time. To
do this, you first need to log out all current users. You can use the






command to view a list of all currently logged-in users. 




For example, in Figure 17-6, two users are currently logged in: ksanders
and rtracy.




Now that you know who’s logged in, you can use the




pkill –KILL –u user_name command 




to brute-force log out each user. For example, in Figure 17-7, the pkill command
has been used to log off the ksanders user.






At this point you can disable all future logins. 




This is actually very easy to do. All you need to do is create a file in /etc named nologin.
As long as this file exists, no one but root is allowed to log in.




/etc/nologin 




In addition, any text you enter in the nologin file will be displayed if
a user does try to log in. In the example shown in Figure 17-8, the
text




“The system is currently unavailable for login.” 





has been entered in the 




/etc/nologin 




file. Thus, when a user tries to log in, this is the error message that is displayed.






This behavior is actually configured in the 




/etc/pam.d/login 





file, shown here:



openSUSE:~ # cat /etc/pam.d/login
#%PAM-1.0
auth requisite  pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die
default=bad]pam_  securetty.so
auth     include  common-auth
account  include  common-account
password include  common-password
session  required pam_loginuid.so
session  include  common-session
session  required pam_lastlog.so  nowtmp
session  optional pam_mail.so standard
session  optional pam_ck_connector.so



The line that reads




auth requisite pam_nologin.so 




causes PAM to check whether a file named nologin exists in /etc. If it does, PAM does not
allow regular users to log in.




When you’re done, you can re-enable logins by deleting or renaming the nologin file.


For example, you could rename it by entering


mv /etc/nologin /etc/nologin.bak 


at the shell prompt.








LX0-104 Exam Objectives (V and U, 323, 647 - 689)
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)