> Under CentOS5, I used this configuration to restrict access to root only: > > # cat /etc/security/access.conf > + : root : ALL > - : ALL : ALL > # cat /etc/pam.d/system-auth-ac > ... > account required pam_access.so > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account required pam_permit.so > ... > # Figured it out by reverse-engineering the changes made by system-config-authentication. In addition to system-auth-ac, as a minimum, password-auth-ac needs the same update. To make it complete, fingerprint-auth-ac and smartcard-auth-ac need the additional line, too (not that they matter on the server hw here). The state of PAM access is also recorded in /etc/sysconfig/authconfig (USEPAMACCESS=yes/no), but this seems to serve as a reminder for system-config-authentication more than actual system services configuration.