What to do about nologin(8)?
Tim Kientzle
tim at kientzle.com
Tue Feb 24 16:48:15 PST 2004
Lanny Baron wrote:
> Hi,
> What I have done in the past for preventing logins via telnet/ssh is to
> make a script called ftponly and put it in /usr/local/bin and in
> /etc/shells put a line as /usr/local/bin/ftponly
>
> The little script for /usr/local/bin/ftponly is:
>
> #!/bin/sh -p
> echo 'This account is currently available only for FTP access.'
> exit 1
>
> Of course when you run adduser or pw useradd, you will choose
> /usr/local/bin/ftponly as their shell.
I'm trying to better understand how people are
really using these facilities, so I have a couple
of questions for you:
1) Why did you put it in /etc/shells?
2) Why did you use "-p"?
(I know what -p does; I'd like to know why you
chose it: did you see an example script somewhere
that you copied it from?)
For those who have followed the "dynamic root"
debate, the security implications of a dynamic
/bin/sh are starting to really worry me.
Some form of NSS daemon that can be invoked
from statically-linked executables is starting
to look *really* desirable.
Tim Kientzle
More information about the freebsd-current
mailing list