ugh. valid_shells is carefully designed so it can’t be used for this. But doing 
it in sshd is probably the right answer.

> On Jan 25, 2018, at 3:15 PM, Charles Hedrick via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> looks like the real solution is valid_shells in sssd.conf. That will prevent 
> people from damaging themselves.
> 
>> On Jan 25, 2018, at 3:12 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
>> 
>> Charles Hedrick via FreeIPA-users wrote:
>>> One of my staff made a typo in his shell in “ipa user-mod —shell” It can be 
>>> hard to recover from, since you can’t login.
>>> 
>>> Is there a way to restrict what they can use? Traditionally only shells in 
>>> /etc/shells were valid.
>> 
>> There is no way currently.
>> 
>> Note that part of the problem is which /etc/shells to use? Remember that
>> IPA is centralized and users may be using a number of different
>> operating systems. This is why the default shell is /bin/sh, because it
>> is nearly universal.
>> 
>> It probably isn't a ton of work to add a new config option to provide a
>> set of valid shells so feel free to file an RFE I just don't know that
>> this sort of thing would be prioritized.
>> 
>> We could probably help if you want to contribute something.
>> 
>> rob
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to