When I work on Linux test server (Debian 11) I have root, and want block other users open new session to this server during my work.
Is it possible?
Add a comment |
2 Answers
When you are logged in as root, you can create a file named /var/run/nologin (historically /etc/nologin), and this should prevent non root users from logging in. When you are done your work as root, you can then delete that file to resume access to other users.
See the man page for nologin (5):
Name
nologin - prevent unprivileged users from logging into the system
Description
If the file
/etc/nologinexists and is readable,login(1) will allow access only to root. Other users will be shown the contents of this file and their logins will be refused.
On at least some systems this is controlled through PAM with the pam_nologin module. on Debian this module is the first account entry for login and sshd, placed before the inclusion of common_account:
# Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so 
- Does this also disallow logins via SSH?2023-03-28 12:58:26 +00:00Commented Mar 28, 2023 at 12:58
- 1@Kusalananda it's managed through PAMChris Davies– Chris Davies2023-03-28 13:00:54 +00:00Commented Mar 28, 2023 at 13:00
- @roaima Hm.. Ok. It worked (stopped SSH logins) on an Alpine Linux machine but not on FreeBSD which I believe also uses PAM. The answer would benefit from explaining what the prerequisite are for this to work.2023-03-28 13:16:36 +00:00Commented Mar 28, 2023 at 13:16
- 1@Kusalananda the PAM documentation for FreeBSD uses
pam_nologinthroughout all its examples. You might want to test with/var/run/nologinas well as/etc/nologinChris Davies– Chris Davies2023-03-28 13:36:37 +00:00Commented Mar 28, 2023 at 13:36 - 1@roaima
/var/run/nologindid it on FreeBSD.2023-03-28 13:41:53 +00:00Commented Mar 28, 2023 at 13:41
Yes, it's possible. See man sshd_config for information on how to restrict who can authenticate.
You could add the AllowGroups root directive to the sshd config manually, then make the sshd service reload.
