'\" te
.\" Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
.TH pam_deny 5 "22 May 2012" "SunOS 5.11" "Standards, Environments, and Macros"
.SH NAME
pam_deny \- PAM authentication, account, session and password management PAM module to deny operations
.SH SYNOPSIS
.LP
.nf
\fBpam_deny.so.1\fR
.fi

.SH DESCRIPTION
.sp
.LP
The \fBpam_deny\fR module implements all the PAM service module functions and returns the module type default failure return code for all calls.
.sp
.LP
The following options are interpreted:
.sp
.ne 2
.mk
.na
\fBdebug\fR
.ad
.RS 9n
.rt  
\fBsyslog\fR(3C) debugging information at the \fBLOG_AUTH\fR|\fBLOG_DEBUG\fR levels
.RE

.SH ERRORS
.sp
.LP
The following error codes are returned:
.sp
.ne 2
.mk
.na
\fB\fBPAM_ACCT_EXPIRED\fR\fR
.ad
.RS 20n
.rt  
If \fBpam_sm_acct_mgmt\fR is called.
.RE

.sp
.ne 2
.mk
.na
\fB\fBPAM_AUTH_ERR\fR\fR
.ad
.RS 20n
.rt  
If \fBpam_sm_authenticate\fR is called.
.RE

.sp
.ne 2
.mk
.na
\fB\fBPAM_AUTHOK_ERR\fR\fR
.ad
.RS 20n
.rt  
If \fBpam_sm_chauthtok\fR is called.
.RE

.sp
.ne 2
.mk
.na
\fB\fBPAM_CRED_ERR\fR\fR
.ad
.RS 20n
.rt  
If \fBpam_sm_setcred\fR is called.
.RE

.sp
.ne 2
.mk
.na
\fB\fBPAM_SESSION_ERR\fR\fR
.ad
.RS 20n
.rt  
If \fBpam_sm_open_session\fR or \fBpam_sm_close_session\fR is called.
.RE

.SH EXAMPLES
.LP
\fBExample 1 \fRDisallowing \fBssh\fR none authentication
.sp
.LP
The following example is a \fBpam.con\fRf fragment that illustrates how to deny the SSHv2 \fBuserauth\fR of "none":

.sp
.in +2
.nf
 sshd-none      auth       requisite   pam_deny.so.1
 sshd-none      account    requisite   pam_deny.so.1
 sshd-none      session    requisite   pam_deny.so.1
 sshd-none      password   requisite   pam_deny.so.1
.fi
.in -2
.sp

.sp
.LP
The equivalent configuration in \fB/etc/pam.d/\fR would be the following entries in \fB/etc/pam.d/sshd-none:\fR

.sp
.in +2
.nf
auth      requisite   pam_deny.so.1
account   requisite   pam_deny.so.1
session   requisite   pam_deny.so.1
password  requisite   pam_deny.so.1
.fi
.in -2
.sp

.LP
\fBExample 2 \fRDisallowing any service not explicitly defined
.sp
.LP
The following example is a \fBpam.conf\fR fragment that illustrates how to deny any PAM service which is not explicitly defined in the PAM configuration:

.sp
.in +2
.nf
 other          auth       requisite   pam_deny.so.1
 other          account    requisite   pam_deny.so.1
 other          session    requisite   pam_deny.so.1
 other          password   requisite   pam_deny.so.1
.fi
.in -2
.sp

.sp
.LP
The equivalent configuration in \fB/etc/pam.d/\fR would be the following entries in \fB/etc/pam.d/other\fR:

.sp
.in +2
.nf
auth      requisite   pam_deny.so.1
account   requisite   pam_deny.so.1
session   requisite   pam_deny.so.1
password  requisite   pam_deny.so.1
.fi
.in -2
.sp

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for a description of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
Interface StabilityCommitted
_
MT-LevelMT-Safe with exceptions
.TE

.SH SEE ALSO
.sp
.LP
\fBsu\fR(1M), \fBlibpam\fR(3LIB), \fBpam\fR(3PAM), \fBpam_sm_authenticate\fR(3PAM), \fBsyslog\fR(3C), \fBpam.conf\fR(4), \fBnsswitch.conf\fR(4), \fBattributes\fR(5), \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5), \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5), \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), \fBpam_unix_session\fR(5), \fBprivileges\fR(5)
.SH NOTES
.sp
.LP
The interfaces in \fBlibpam\fR(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.
.sp
.LP
The \fBpam_deny\fR module is intended to deny access to a specified service. The \fBother\fR service name may be used to deny access to services not explicitly specified.