Anyone know if there is a way to specify a specific user, or users (a group?), allow access either via ssh or at console when there is a /etc/nogin file present?
I found a thread online that mentions adding the following line to /etc/pam.d/login just before the 'account required pam_nologin.so' line:
account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup group
I've tested this and it's not working for me. I'm testing this in CentOS 7.
I'm no expert here, but I thought all PAM config must have a verb e.g. requsite, sufficient etc - and sounds like you would want sufficient i.e. let the person through without asking any furhter checks
auth required pam_succeed_if.so quiet user ingroup groupname