There are two ways to allow / restrict system login to specific user groups only. The simplest method is to use a PAM module called Another option is to use login access control table. Locking down system login access is very important task if you need a secure system.

The system administrator is free to choose how individual service-providing applications will authenticate users. Many new admins not aware of PAM and related services. In this tip you are going to use authentication (auth) group, which authenticate a user and set up user credentials.

Deny or allow access to groups using PAM

pam_listfile is a PAM module which provides a way to deny or allow access to services based on an arbitrary file. Service can be any one of the following
=> su
=> sudo
=> ftp
=> Mail Service (MTA/POP3/IMAP)
=> SSH
=> Samba
=> Crond
=> Squid and many others

How do I setup pam_listfile PAM module for group based login?

Let us say you would like to allow login to only members of wheel (root user) and webdev groups.

Step # 1: Create /etc/ file

/etc/ filename contains one line per group listed. If the group name is found, then login is allowed; else authorization request denied:
# vi /etc/
Add group names:

Save and close the file.

Step # 2: Allow group based login to all services

Open /etc/pam.d/system-auth file if you are using Redhat / RHEL / Fedora / CentOS Linux. If you are using Debian / Ubuntu Linux use /etc/pam.d/common-auth file:
# vi /etc/pam.d/system-auth
You must add the following config directive at the top of the file:
auth required onerr=fail item=group sense=allow file=/etc/

  • auth required : Pam module name required for allowing group based login
  • onerr=fail : What to do if something weird happens like being unable to open the file or busy disk I/O. In our case login is denied till weird problem is sorted out.
  • item=group : Check for group name
  • sense=allow : The authorization request to succeed if group name found in /etc/ file
  • file=/etc/ : Filename contains one line per group name listed. If the group name is found, then if sense=allow, PAM_SUCCESS is returned, causing the authorization request to succeed.

Caution: Please note that by adding above line you are forcing this configuraion on all login services including ssh, telnet, mail, su, sudo and all PAM aware services. If you need login restrictions for specific service modify specific service located in /etc/pam.d/service-name file.

Save and close the file. This will only allow users that belong to the root, wheel and webdev group to login to the system. You can apply above technique to:

  • User names
  • Shell
  • Tty names
  • Rhost / Ruser (remote login host / user id)

The config can be reversed to denied login to specific group name by modify the configuration file. This is left as exercise to our reader (hint type man pam_listfile).

=> Related PAM config FAQ : Linux PAM configuration that allows or deny user login via the sshd server

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 20 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
20 comments… add one
  • ashwani Jun 10, 2009 @ 22:11

    wat a good idea sir ji ….Thanks 😉

  • yash Aug 11, 2010 @ 3:28

    This doesn’t work. I followed both steps … but still all users can login successfully ! >.<

  • scott rineer Mar 30, 2011 @ 16:24

    I second this, it does not work
    running on RHEL5.6 x64

  • Denis Apr 12, 2011 @ 15:28

    Doesn’t work, running CentOS 5.5

  • popfobia May 5, 2011 @ 12:07

    I need some users can do “su – ” to other users but not root how can i do that?

    • Remy May 6, 2011 @ 0:42

      Make sure ‘openssh-askpass’ package is installed and ‘UsePAM yes’ is there in /etc/ssh/sshd_config

      • popfobia May 16, 2011 @ 19:47

        the problem is, if I want to login via ssh with the user pedro. and with pedro can do “su – ” to another user, for example apache

  • Remy May 18, 2011 @ 20:04

    Check for “Restricting su Access to System and Shared Accounts in”

  • popfobia May 18, 2011 @ 21:26

    thanks i’m gonna try

  • popfobia May 18, 2011 @ 21:44

    there is a problem with that, is like use wheel group, i need normal user can do su to other normal user but no to root.

    for example: user1 can do su to apache, but user1 cannot do su to root

  • heegemcgee May 3, 2012 @ 21:30

    Tested the method above and couldn’t figure out why it wasn’t working for ssh. Looks like /etc/pam.d/sshd doesn’t call system-auth, it calls password-auth. You can either put the line in /etc/pam.d/sshd at the top, or in /etc/pam.d/password-auth at the top. That will keep ssh users out who aren’t in the listfile.

    • kris Jan 15, 2013 @ 20:27

      I was trying to get this to work with kerberized ssh and was having all sorts of trouble, even after I figured out that sshd on RHEL/Fedora uses password-auth instead of system-auth. Then I figured out that when using kerberos for authentication, sshd will skip the auth parts of PAM. To get pam_listfile to work in this case you have to move the rule from the auth section to the session section in password-auth.

  • Philipp May 28, 2012 @ 15:43

    Tutorial is great..
    But there is one big problem..
    You used requiered instead of requisite..

    failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this service and type) have been invoked.

    like required, however, in the case that such a module returns a failure, control is directly returned to the application.(…)

    Thats the problem 🙂

  • chase Oct 30, 2013 @ 20:29

    Works great. Only users part of wheel group can login now.

    But now when those user try to use sudo, they get this error:

    sudo: pam_authenticate: Error in service module

    • 🐧 nixCraft Oct 31, 2013 @ 7:52

      Check sudo log file or system log file in /var/log directory.

      • chase Oct 31, 2013 @ 15:42

        Thank you. I had file=etc/…. instead or file=/etc/….

    • Prime Dec 4, 2013 @ 16:19

      Can you please be more specific on how you got it to work?

      • Chase Dec 4, 2013 @ 17:48

        In the /etc/pam.d/system-auth file, the correct line should read:
        auth required onerr=fail item=group sense=allow file=/etc/

        I had:
        auth required onerr=fail item=group sense=allow file=etc/

        (notice there is no ‘/’ in front of etc/

  • Barrett Clow Sep 12, 2015 @ 6:05

    I couldn’t resist commenting. Perfectly written!

  • Scott Sisco Mar 8, 2016 @ 0:19

    So this works perfectly with one huge exception. The server I have this enabled on is running a cups server. I need to be able to login though a web browser using HTTPS in order to add printers with a user in the lpadmin group. I’ve added lpadmin to the /etc/, but logins over HTTPS are being blocked.

    I have no issue using the ssh and sudo with groups in the /etc/ file the issue seems specific to authentication with HTTPS.

    Any pointers on how I can get HTTPS authentication working?


    Is there a way to

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum