Listing 2. A safe "other" definition forbids all generic
access
in absence of specific rules. The pam_deny.so module always returns
failure, so all access attempts will be
rejected, and pam_warn.so sends a warning to the sysadmin.

#
# default; deny all accesses
#
auth    required       pam_deny.so
auth    required       pam_warn.so
account required       pam_deny.so
password        required        pam_deny.so
password        required        pam_warn.so
session required        pam_deny.so