Back in the day /bin/false was often used to indicate a user had FTP access, but not shell access. As long as the systems aren't running ftp servers /bin/false is a nice workaround unless you're also trying to do automatic account lockouts per x number of failed login request.
On 10/3/05, Andrew McNabb <[EMAIL PROTECTED]> wrote: > On Mon, Oct 03, 2005 at 01:40:51PM -0600, Erik R. Jensen wrote: > > It appears that when using public key authentication with openssh, the > > locked status of an account is ignored. This means I can issue "passwd > > -l", and if the user had setup ssh keys for authentication, they can still > > login. I know there are other ways to further lock an account which I have > > been doing, but I really just want openssh to respect the "!" that gets > > placed in the shadow file when a "passwd -l" is issued. Is there a change > > I can make in /etc/pam.d/sshd to force this check to happen or something I > > am just overlooking? > > > > One of the traditional way to lock an account is to set the shell to > /bin/false. Theoretically there might still be some problem with that, > too, but I can't think of anything. > > -- > Andrew McNabb > http://www.mcnabbs.org/andrew/ > PGP Fingerprint: 8A17 B57C 6879 1863 DE55 8012 AB4D 6098 8826 6868 > > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > > > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
