How to block NIS logins via ssh?
Dan Mahoney, System Admin
danm at prime.gushi.org
Wed Dec 10 10:57:39 PST 2008
On Wed, 10 Dec 2008, Dan Nelson wrote:
> In the last episode (Dec 10), Dan Mahoney, System Admin said:
>> I'm noticing that when following the directions given here:
>>
>> http://www.freebsd.org/doc/en/books/handbook/network-nis.html
>>
>> For how to disable logins, the recommended action is to set the shell to
>> /sbin/nologin.
>>
>> However, this is sloppy as it allows the user to log in, get the
>> motd, do everything short of getting a shell.
>>
>> I've tried starring out the password in the +::::::::: entry, (and
>> putting in a "bad" password, like x), and those don't seem to work.
>> I am still able to connect via sshd and prove that the account works.
>
> By default, the passwd field is ignored in an NIS + or - line. It looks
> like if you rebuild libc with PW_OVERRIDE_PASSWD=1, you will get the
> behaviour you're looking for (see the compat_set_template function in
> src/lib/libc/gen/getpwent.c).
Okay, let's look at it from an alternate tack then -- what else renders an
account invalid?
Is there a pam knob to check /etc/shells? Or an sshd option?
I found these:
http://osdir.com/ml/linux.admin.managers/2003-08/msg00016.html
for a user who had a similar problem, but freebsd doesn't appear to have
the requisite module. This could also be implemented as an option to
pam_unix (which could check either /etc/shells or the NIS equivalent,
since it already has the NIS hooks.)
I'll make a separate post to -hackers requesting this.
it's probably pretty trivial to port, but I'm leery to do so not-being a
c-coder.
-Dan
--
"Of course she's gonna be upset! You're dealing with a woman here Dan,
what the hell's wrong with you?"
-S. Kennedy, 11/11/01
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
More information about the freebsd-questions
mailing list