On Wed, 10 Dec 2008, Dan Nelson wrote:

In the last episode (Dec 10), Dan Mahoney, System Admin said:
I'm noticing that when following the directions given here:

http://www.freebsd.org/doc/en/books/handbook/network-nis.html

For how to disable logins, the recommended action is to set the shell to
/sbin/nologin.

However, this is sloppy as it allows the user to log in, get the
motd, do everything short of getting a shell.

I've tried starring out the password in the +::::::::: entry, (and
putting in a "bad" password, like x), and those don't seem to work.
I am still able to connect via sshd and prove that the account works.

By default, the passwd field is ignored in an NIS + or - line. It looks
like if you rebuild libc with PW_OVERRIDE_PASSWD=1,  you will get the
behaviour you're looking for (see the compat_set_template function in
src/lib/libc/gen/getpwent.c).

Okay, let's look at it from an alternate tack then -- what else renders an account invalid?

Is there a pam knob to check /etc/shells?  Or an sshd option?

I found these:

http://osdir.com/ml/linux.admin.managers/2003-08/msg00016.html

for a user who had a similar problem, but freebsd doesn't appear to have the requisite module. This could also be implemented as an option to pam_unix (which could check either /etc/shells or the NIS equivalent, since it already has the NIS hooks.)

I'll make a separate post to -hackers requesting this.

it's probably pretty trivial to port, but I'm leery to do so not-being a c-coder.

-Dan

--

"Of course she's gonna be upset!  You're dealing with a woman here Dan,
what the hell's wrong with you?"

-S. Kennedy, 11/11/01

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to