PAM nologin not preventing non-root account logins

[FriedIV]

kali-linux-2016.1-amd64

Installed on VMWare 12.1.0 build-3272444


I have been trying to track the security settings for my kali installation.

It is my understanding that non root users are not allowed to login.

Under /etc/pam.d/login

pam_nologin.so is set to "auth requisite pam_nologin.so"

The PAM documentation states that:

"pam_nologin is a PAM module that prevents users from logging into the system when /var/run/nologin
or /etc/nologin exists. The contents of the file are displayed to the user. The pam_nologin module
has no effect on the root user's ability to log in."

First the nologin file does not exist in either directory.

I created a new account and tried logging in. I was successful.

Deleted account.

Created a file "/etc/nologin" just some text.

Created a new account.

Tried logging in with new account. Success. I was again able to login as a not root user.

As the pam_nologin.so is requisite then failure should be guaranteed. If one attampts to login as
other than root user.


Additional information: Somehow the OS is deleting the nologin file I placed in /etc/nologin.

I am very new at this so I do expect I am missing something simple.

A little direction would be appreciated.

[FriedIV]

Ok, well no one seems to be free with some insight so far. But I have not stopped poking this pig.

From what I can discern:
1) /etc/init.d/bootmisc.sh sets DELAYLOGIN to true
if (DELAYLOGIN) then create file /var/lib/nologin // I am unclear how this is accomplished as /var/lib/initscripts/nologin doesn't exist after boot up.

I do not understand what this accomplishes because as stated in my previous post I can login as a not-root user.

2) As for the non existence of the nologin file after boot, /etc/init.d/rmnologin removes the file after boot process.

I still want to understand why PAM_nologin is set to prevent non-root users to login and at the same time not accomplish this task.

Thx