Index: pam_unix.8
===================================================================
RCS file: /home/ncvs/src/lib/libpam/modules/pam_unix/pam_unix.8,v
retrieving revision 1.11
diff -u -r1.11 pam_unix.8
--- pam_unix.8	21 Jan 2005 10:44:10 -0000	1.11
+++ pam_unix.8	3 Oct 2005 17:22:09 -0000
@@ -121,6 +121,8 @@
 then this option
 will forgo password prompting,
 and silently allow authentication to succeed.
+.It Cm deny_root
+Fail if the current real user ID is 0.
 .It Cm local_pass
 Use only the local password database,
 even if NIS is in use.
Index: pam_unix.c
===================================================================
RCS file: /home/ncvs/src/lib/libpam/modules/pam_unix/pam_unix.c,v
retrieving revision 1.51
diff -u -r1.51 pam_unix.c
--- pam_unix.c	5 Jul 2005 18:42:18 -0000	1.51
+++ pam_unix.c	18 Dec 2005 22:21:37 -0000
@@ -76,6 +76,7 @@
 
 #define PAM_OPT_LOCAL_PASS	"local_pass"
 #define PAM_OPT_NIS_PASS	"nis_pass"
+#define PAM_OPT_DENY_ROOT	"deny_root"
 
 char *tempname = NULL;
 
@@ -100,7 +101,13 @@
 		pwd = getpwnam(user);
 	}
 
-	PAM_LOG("Got user: %s", user);
+	if (pwd != NULL && pwd->pw_uid == 0 &&
+	    openpam_get_option(pamh, PAM_OPT_DENY_ROOT)) {
+		PAM_LOG("Deny superuser: %s", user);
+		pwd = NULL;
+	} else {
+		PAM_LOG("Got user: %s", user);
+	}
 
 	if (pwd != NULL) {
 		PAM_LOG("Doing real authentication");