Go to main content

Managing Authentication in Oracle® Solaris 11.4

Exit Print View

Updated: November 2020

How to Restrict Who Can Log In to the Console

In this task, you limit access to the console to particular users. The /etc/pam.d/login configuration file controls console login.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Modify the /etc/pam.d/login file.
    1. Save a copy of the login file, then open the original file.
      # cd /etc/pam.d
      # cp login login.orig
      # pfedit login
    2. Add the following entries:
      ## Account management for login(1) incorporates pam_list(7)
      ## To restrict which users and netgroups are allowed to log in to 
      ## the console, add these lines below and add those users and 
      ## netgroups to the /etc/users.allow configuration file.
      account requisite pam_roles.so.1
      account definitive pam_user_policy.so.1
      account required pam_unix_account.so.1
      account required pam_list.so.1 allow=/etc/users.allow
      account required pam_tsol_account.so.1
  2. Create and protect the /etc/users.allow file.
    # cd /etc
    # touch users.allow ; chmod 644 users.allow
  3. Add users to the /etc/users.allow file.
    • For example, add the jdoe account.
      # pfedit users.allow
      ## permitted console logins
    • For example, add netgroups.

      Netgroups are groups that are centrally defined, such as in LDAP, and have user members. Members of a listed netgroup will be able to log in to this particular system on the console.

      ## permitted console logins

      For more information, see the netgroup(5) and pam_list(7) man pages.