How to block NIS logins via ssh?
Dan Mahoney, System Admin
danm at prime.gushi.org
Wed Dec 10 10:57:39 PST 2008
On Wed, 10 Dec 2008, Dan Nelson wrote:
> In the last episode (Dec 10), Dan Mahoney, System Admin said:
>> I'm noticing that when following the directions given here:
>> For how to disable logins, the recommended action is to set the shell to
>> However, this is sloppy as it allows the user to log in, get the
>> motd, do everything short of getting a shell.
>> I've tried starring out the password in the +::::::::: entry, (and
>> putting in a "bad" password, like x), and those don't seem to work.
>> I am still able to connect via sshd and prove that the account works.
> By default, the passwd field is ignored in an NIS + or - line. It looks
> like if you rebuild libc with PW_OVERRIDE_PASSWD=1, you will get the
> behaviour you're looking for (see the compat_set_template function in
Okay, let's look at it from an alternate tack then -- what else renders an
Is there a pam knob to check /etc/shells? Or an sshd option?
I found these:
for a user who had a similar problem, but freebsd doesn't appear to have
the requisite module. This could also be implemented as an option to
pam_unix (which could check either /etc/shells or the NIS equivalent,
since it already has the NIS hooks.)
I'll make a separate post to -hackers requesting this.
it's probably pretty trivial to port, but I'm leery to do so not-being a
"Of course she's gonna be upset! You're dealing with a woman here Dan,
what the hell's wrong with you?"
-S. Kennedy, 11/11/01
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
More information about the freebsd-questions