Wrt /bin/false, I ran into such an exception: I installed freeradius on my
ubuntu main server so my astaro gateway could authenticate people.  They
already had accounts on that host for email - all of them using /bin/false.
I naively tried to use the freeradius plugin "unix password" (not the right
name, but the gist is accurate.)  freeradius would reject auth attempts due
to 'invalid shell'.  I ended up using the pam plugin and all was well... 

-----Original Message-----
From: Jan Owoc [mailto:jso...@gmail.com] 
Sent: Monday, October 29, 2012 11:24 AM
To: Discussion list for OpenIndiana
Subject: Re: [OpenIndiana-discuss] How to disable local/remote login, still
allowing access to smb share?

Hi Dmitry,

On Mon, Oct 29, 2012 at 9:17 AM, Dmitry Kozhinov <d...@desktopfay.com>
wrote:
> I am still newbie to UNIX administration. Please advise. After setting 
> up a storage server (a number of smb shares, as described at 
> http://wiki.openindiana.org/oi/Using+OpenIndiana+as+a+storage+server), 
> I ended up having a number of users at my system, each one needed only 
> to access an smb share from a Windows client machine. How do I prevent 
> using these usernames/passwords to login locally or remotely to the 
> server, and only use them to access smb shares?

I'm not a professional UNIX administrator, but the way I've seen it done is
to set the logon shell for those users to "/bin/false". An alternative is
"/usr/bin/passwd", so they can't get a logon shell, but they can "log on" to
change their password. There are some things for which /bin/false doesn't
work, but it might be enough for your needs [1].

[1] http://www.semicomplete.com/articles/ssh-security/

Jan

_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss


_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Reply via email to