ugh. valid_shells is carefully designed so it can’t be used for this. But doing it in sshd is probably the right answer.
> On Jan 25, 2018, at 3:15 PM, Charles Hedrick via FreeIPA-users > <email@example.com> wrote: > > looks like the real solution is valid_shells in sssd.conf. That will prevent > people from damaging themselves. > >> On Jan 25, 2018, at 3:12 PM, Rob Crittenden <rcrit...@redhat.com> wrote: >> >> Charles Hedrick via FreeIPA-users wrote: >>> One of my staff made a typo in his shell in “ipa user-mod —shell” It can be >>> hard to recover from, since you can’t login. >>> >>> Is there a way to restrict what they can use? Traditionally only shells in >>> /etc/shells were valid. >> >> There is no way currently. >> >> Note that part of the problem is which /etc/shells to use? Remember that >> IPA is centralized and users may be using a number of different >> operating systems. This is why the default shell is /bin/sh, because it >> is nearly universal. >> >> It probably isn't a ton of work to add a new config option to provide a >> set of valid shells so feel free to file an RFE I just don't know that >> this sort of thing would be prioritized. >> >> We could probably help if you want to contribute something. >> >> rob > > _______________________________________________ > FreeIPA-users mailing list -- firstname.lastname@example.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org