Hrm, is there any provision for different paths for the same shell on
different platforms? (E.g. bash on Linux vs FreeBSD)

On Fri, Jan 26, 2018, 1:04 PM Charles Hedrick via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Turns out there is a way. It seems to be a recent addition, as it wasn’t
> in the documentation I looked at originally.
>
> [nss]
> allowed_shells = *
> shell_fallback = /bin/bash
>
> The semantics of allowed_shells is kind of interesting.
> * any shell in /etc/shells is OK
> * any shell is allowed_shells but not in /etc/shells get replaced by the
> fallback
> * if allowed_shells isn’t set, any shell is used, even if it doesn’t exist
>
> So setting allowed_shells to * does what you’d want: any shell in
> /etc/shells is OK. Otherwise you getter the fallback.
>
> * as a possible value is relatively new.
>
> This is really what I’d expect default behavior to be if allowed_shells
> isn’t set.
>
>
> > On Jan 26, 2018, at 8:20 AM, Robbie Harwood via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
> >
> > Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
> > writes:
> >
> >> Charles Hedrick via FreeIPA-users wrote:
> >>
> >>> One of my staff made a typo in his shell in “ipa user-mod —shell” It
> >>> can be hard to recover from, since you can’t login.
> >>>
> >>> Is there a way to restrict what they can use? Traditionally only
> >>> shells in /etc/shells were valid.
> >>
> >> There is no way currently.
> >>
> >> Note that part of the problem is which /etc/shells to use? Remember
> >> that IPA is centralized and users may be using a number of different
> >> operating systems. This is why the default shell is /bin/sh, because
> >> it is nearly universal.
> >
> > At the very least, it would be good to restrict it to /etc/shells on the
> > current machine.  Doesn't cover everything, but it's an improvement.
> >
> > Thanks,
> > --Robbie
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>


-- 

Mike Kelly
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to