How to Restrict Who Can Log In to the Console

Language:

In this task, you limit access to the console to particular users. The /etc/pam.d/login configuration file controls console login.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

Modify the /etc/pam.d/login file.

Save a copy of the login file, then open the original file.

# cd /etc/pam.d
# cp login login.orig
# pfedit login

Add the following entries:

## Account management for login(1) incorporates pam_list(7)
##
## To restrict which users and netgroups are allowed to log in to 
## the console, add these lines below and add those users and 
## netgroups to the /etc/users.allow configuration file.
##
account requisite pam_roles.so.1
account definitive pam_user_policy.so.1
account required pam_unix_account.so.1
account required pam_list.so.1 allow=/etc/users.allow
account required pam_tsol_account.so.1

Create and protect the /etc/users.allow file.

# cd /etc
# touch users.allow ; chmod 644 users.allow

Add users to the /etc/users.allow file.
- For example, add the jdoe account.
```
# pfedit users.allow
## permitted console logins
jdoe
```
- For example, add netgroups.
  Netgroups are groups that are centrally defined, such as in LDAP, and have user members. Members of a listed netgroup will be able to log in to this particular system on the console.
```
## permitted console logins
jdoe
@alladmins
```
  For more information, see the netgroup(5) and pam_list(7) man pages.