How to block NIS logins via ssh?
Dan Nelson
dnelson at allantgroup.com
Wed Dec 10 08:12:41 PST 2008
In the last episode (Dec 10), Dan Mahoney, System Admin said:
> I'm noticing that when following the directions given here:
>
> http://www.freebsd.org/doc/en/books/handbook/network-nis.html
>
> For how to disable logins, the recommended action is to set the shell to
> /sbin/nologin.
>
> However, this is sloppy as it allows the user to log in, get the
> motd, do everything short of getting a shell.
>
> I've tried starring out the password in the +::::::::: entry, (and
> putting in a "bad" password, like x), and those don't seem to work.
> I am still able to connect via sshd and prove that the account works.
By default, the passwd field is ignored in an NIS + or - line. It looks
like if you rebuild libc with PW_OVERRIDE_PASSWD=1, you will get the
behaviour you're looking for (see the compat_set_template function in
src/lib/libc/gen/getpwent.c).
--
Dan Nelson
dnelson at allantgroup.com
More information about the freebsd-questions
mailing list