I login a account, for example my_name_1, now I want to change to other account, named my_name_2. For example, $ whoami tom <--- legal user $ su john <-- illegal operation, should be refused. In this case, how to refuse the request by PAM ?
<snip>If I understand your question correctly, you are trying to prohibit access to the john user via su. If this is the case, and you want to prevent all users from being able to su to john, then you can use a pam_listfile restriction in /etc/pam.d/su which controls access to who can be su'd to and not who can su to another user.
Hope this helps, Barry