Gregor Mosheh <[EMAIL PROTECTED]> writes:
> The way we did this on our system was:
>
> Create a dummy shell that logs the user out. e.g. /bin/nosh
> The contents of this file could be simply:
> echo Go away.
> exit
>
> Set the user's shell to this new dummy shell.
>
> Add this dummy shell to /etc/shells so the FTP server will let them FTP
> in. This is required for NcFTPd and WU-FTPd, maybe others.
>
> The user can now log in via FTP, but will get a rude message when they try
> to log in via SSH or telnet.
>
What I did instead was to use the C program shown below. The main
difference is that it syslogs any attempt to log in with the invalid
account.
Feel free to use it if you want.
Ramji
/*
Source code for non-existent shell. Used for users without a shell.
CopyLeft Ramji < rv @ uiop . org >
*/
#include <stdio.h>
#include <syslog.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <pwd.h>
int main(argc,argv,envp)
int argc;
char **envp,**argv;
{
char *s,*m;
uid_t value;
struct passwd *pw;
/* Set all the environment variables to nothing */
envp[0]=0;
/* Set my 'username broken' error message here */
s="Invalid Username:";
value=getuid();
/* Check the return code from getpwuid - if it's not a null pointer log the uid
instead */
if( ( pw = getpwuid(value) ) == 0 ){
m="Unauthorized Login - Attempted login from disabled account: UID %d";
openlog(s, LOG_PID|LOG_CONS,LOG_AUTH|LOG_USER);
syslog(LOG_INFO,m,value);
closelog();
}
else{
m="Unauthorized Login - Attempted login from disabled account: %s";
openlog(s, LOG_PID|LOG_CONS,LOG_AUTH|LOG_USER);
syslog(LOG_INFO,m,(*pw).pw_name);
closelog();
}
return(0);
}
--
Ramji Venkateswaran Senior Systems Engineer
Internet Technology Group PLC
113-123 Upper Richmond Road, Putney, London, SW15 2TL
+44 (0)20 8957 1119
