This section describes several ways to prevent remote login for specific non-root users. To prevent remote login by root, review the CONSOLE variable value description in the /etc/default/login file and Securing Logins and Passwords in Securing Systems and Attached Devices in Oracle Solaris 11.4.
Oracle Solaris provides several ways for you to prevent remote logins for specific non-root users.
You can specify the days and times when users can access a PAM service such as ssh. For example, use the access_times security attribute to prevent jdoe from using Secure Shell:
# usermod -K access_times={ssh}:Al0000-0000 jdoe
The value indicates that for All Days (Al) no access times are available. For more information, see the user_attr(5) man page.
One advantage of using RBAC security attributes is that you can use the –S ldap option to the user and role configuration commands to maintain the restriction in LDAP. Another advantage is that you can specify the service names, days, and times when access is allowed.
You can add specific users to the DenyUsers property in Secure Shell. For more information, see the ssh_config (5) man page.
You can customize a PAM stack to include the pam_deny module, and assign the customized PAM stack to specific users by using the pam_policy security attribute to the user and role configuration commands. For more information, see Configuring PAM in Managing Authentication in Oracle Solaris 11.4 and the pam_deny(7) and pam_user_policy(7) man pages.
You can create labeled directories and clearances for specific users that prevent all other users, including root, from accessing the data contained in those directories. Labels enable users to create sandboxes for projects. For more information, see Labeling Processes for Data Loss Protection and the sandboxing(7) man page.