On Wed, 10 Dec 2008, Dan Nelson wrote:

In the last episode (Dec 10), Dan Mahoney, System Admin said:
I'm noticing that when following the directions given here:


For how to disable logins, the recommended action is to set the shell to

However, this is sloppy as it allows the user to log in, get the
motd, do everything short of getting a shell.

I've tried starring out the password in the +::::::::: entry, (and
putting in a "bad" password, like x), and those don't seem to work.
I am still able to connect via sshd and prove that the account works.

By default, the passwd field is ignored in an NIS + or - line. It looks
like if you rebuild libc with PW_OVERRIDE_PASSWD=1,  you will get the
behaviour you're looking for (see the compat_set_template function in

Okay, let's look at it from an alternate tack then -- what else renders an account invalid?

Is there a pam knob to check /etc/shells?  Or an sshd option?

I found these:


for a user who had a similar problem, but freebsd doesn't appear to have the requisite module. This could also be implemented as an option to pam_unix (which could check either /etc/shells or the NIS equivalent, since it already has the NIS hooks.)

I'll make a separate post to -hackers requesting this.

it's probably pretty trivial to port, but I'm leery to do so not-being a c-coder.



"Of course she's gonna be upset!  You're dealing with a woman here Dan,
what the hell's wrong with you?"

-S. Kennedy, 11/11/01

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to