How to block NIS logins via ssh?

Dan Mahoney, System Admin danm at
Wed Dec 10 10:57:39 PST 2008

On Wed, 10 Dec 2008, Dan Nelson wrote:

> In the last episode (Dec 10), Dan Mahoney, System Admin said:
>> I'm noticing that when following the directions given here:
>> For how to disable logins, the recommended action is to set the shell to
>> /sbin/nologin.
>> However, this is sloppy as it allows the user to log in, get the
>> motd, do everything short of getting a shell.
>> I've tried starring out the password in the +::::::::: entry, (and
>> putting in a "bad" password, like x), and those don't seem to work.
>> I am still able to connect via sshd and prove that the account works.
> By default, the passwd field is ignored in an NIS + or - line. It looks
> like if you rebuild libc with PW_OVERRIDE_PASSWD=1,  you will get the
> behaviour you're looking for (see the compat_set_template function in
> src/lib/libc/gen/getpwent.c).

Okay, let's look at it from an alternate tack then -- what else renders an 
account invalid?

Is there a pam knob to check /etc/shells?  Or an sshd option?

I found these:

for a user who had a similar problem, but freebsd doesn't appear to have 
the requisite module.  This could also be implemented as an option to 
pam_unix (which could check either /etc/shells or the NIS equivalent, 
since it already has the NIS hooks.)

I'll make a separate post to -hackers requesting this.

it's probably pretty trivial to port, but I'm leery to do so not-being a 



"Of course she's gonna be upset!  You're dealing with a woman here Dan,
what the hell's wrong with you?"

-S. Kennedy, 11/11/01

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM

More information about the freebsd-questions mailing list