How to block NIS logins via ssh?

Dan Nelson dnelson at
Wed Dec 10 08:12:41 PST 2008

In the last episode (Dec 10), Dan Mahoney, System Admin said:
> I'm noticing that when following the directions given here:
> For how to disable logins, the recommended action is to set the shell to 
> /sbin/nologin.
> However, this is sloppy as it allows the user to log in, get the
> motd, do everything short of getting a shell.
> I've tried starring out the password in the +::::::::: entry, (and
> putting in a "bad" password, like x), and those don't seem to work. 
> I am still able to connect via sshd and prove that the account works.

By default, the passwd field is ignored in an NIS + or - line. It looks
like if you rebuild libc with PW_OVERRIDE_PASSWD=1,  you will get the
behaviour you're looking for (see the compat_set_template function in

	Dan Nelson
	dnelson at

More information about the freebsd-questions mailing list