On 2022-10-12 14:43:06 +0200, Michael Biebl wrote: > Apparently you can still use su, sudo etc with --disabled-login. So I wonder > if there is a real difference in practice to --disabled-password.
In some way, I would regard the command-via-ssh feature to behave a bit like sudo: this is not a login, one just wants to run a command (sudo is used to run it as another user, ssh is used to run it remotely). > In any case, apparently a "login" under that user has happened (via SSH I > assume). Otherwise pam_systemd.so and `systemd --user` wouldn't have been > triggered. While I wanted to report a bug against adduser to ask for a clarification, I saw: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=625758 'adduser --disabled-login' does not behave as documented. reported 11 years ago and still open! Last comment a few months ago https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=625758#72 with in particular: - change and document (adduser(8)) that --disabled-password will behave like --disabled-login and additionally set the shell to /usr/sbin/nologin. - --disabled-login and an explicitly set --shell is an error and will be flagged as such. Using both --disabled-login and --shell was exactly what I did (setting a shell was necessary to be able to run the command, even though how the command is run is not mentioned in the sshd man page). -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)