SUMMARY: User Shells
-------------------------------------
This was the question asked:
-------------------------------------
I want to have account created for users but not shells allowed for them
that means my users will never login the system they are only
allowed to login the Terminal Server and then identified with the
Radius Software which uses the /etc/passwd file.How can I make the users
not have any shells or not be able to log in to the machine containing
their account ?
Sorry if this looks like a very easy question... it does not seem crystal
clear to me ...
---------------------------------------------------------------------------
Here are all the answers I got
---------------------------------------------------------------------------
From: Dan Winger <winger_at_sewp.nasa.gov>
The last argument on each line of your "/etc/passwd" file normally
has the shell program to be executed like "/bin/csh" or "/bin/sh".
Substitute this with the program "/usr/local/bin/program_to_run".
----------------
From: "MR.OMAR" <rosley_at_tsi.com.my>
just put "/bin/false" in the shell's column in /etc/passwd file
where "/bin/false" does not exist !!! or some other name that are not
exist ! so when they try to login, they will receive "no login shell"
message and would not be able to login.
----------------***** This is the solution I retained for now until I go to
NIS *****
From: "Mr. Kenneth L. Atchinson" <katchins_at_baldwinw.edu>
Compile the following program, then make this program the shell for the
users you don't want to have login accounts on your system. You can also
change their home directory to /tmp or something like that.
---- cut cut cut ----
#include <stdio.h>
void main(void)
{
printf("You are not authorized to access this system\n");
fflush(stdout);
exit(1);
}
---- cut cut cut ----
BTW- I am using RADIUS (2.4.7) with a DEC Alpha and Livingston Terminal
Servers. Works great. Unfortunately, since I have some "unique"
senarios here, I will now go to NIS databases to manage passwords, and
this cute little program may not be used (sob!!)
-----------------
From: Terry McIntyre <tm_at_switch.com>
Make the last field ( the shell ) be /bin/true instead of /bin/sh
whosit:passwd:123:123:whosit:/users/whosit:/bin/true
-----------------
From: Blue Moon Network Administrator <root_at_net.bluemoon.net>
Just set up radius normally, but have their shell listed in passwd be
something like a script that echoes a message saying logins aren't
allowed and after the script execute the portmaster will drop carrier.
That will still allow them to be authenticated with their password by
radiusd, but not allow logins to the unix machine.
Be aware that al the radius does is check for the password, if the
password has expired (or there is another account lock) radius will still
allow the user to have a network connection. Radius is not really
suitable to manage an ISP network, at least not on DUnix and especially
not with the C2 subset installed..
----------------
From: boris_at_gore.afep.cornell.edu
The guys next door have a system. They have three machines which are disk
servers and other maintenance tasks only. On these machines, the shell is set
to a program named /bin/false, which spews a warning message and immediately
logs you out. This is set in the password file as your default login shell.
How does Radius determine what program your default login shell is?
----------------
From: rwa_at_cs.athabascau.ca (Ross Alexander)
edit /etc/passwd and change the shell field to /dev/null or something.
---------------- *************** Not relevant but maybe interesting for some
radius users *************
From: Peter Clark <pclark_at_pcix.com>
Just add their password into the Radius file instead of making it
password=unix.
That way you never have to enter them into the server, viola no account
needed.
----------------
END
----------------
--
=====================================================================
Christophe Prevotaux AKA nighty | EBCnet, Reims, France
IRC: nighty | Internet Provider
Email: nighty_at_ebc.net | for the Champagne-Ardenne Region
=====================================================================
Sysadmin EBCnet | Unix ? What is it ?
=====================================================================
== My opinions do not reflect those of my employer ==
=====================================================================
Received on Thu Dec 28 1995 - 09:59:09 NZDT