pam.deny.change.shell

This configuration parameter specifies whether a user who is denied access, for example, because they are listed as a user in the pam.deny.user or are not listed in the pam.allow.user parameter, should have their shell set to the shell defined by the nss.shell.nologin parameter. The parameter value can be set to true or false.

If set to true, this parameter adds an extra level of security by ensuring that the zone user who is denied access cannot obtain any shell access, even if authenticated through Kerberos, SSH, or some other non-PAM related method. If this parameter is set to false, the denied user’s shell is not changed and so may be able to access the system.

Because of the potential security issue, the default value for this parameter is true. However, since group lookups can be time-consuming for simple NSS queries, you can set this parameter to false to prevent the agent from changing the user’s shell when denied access.

For example, to leave the user’s shell unchanged when denied access, set this parameter to false.

pam.deny.change.shell: false