Re: What to do about nologin(8)?

From: Tim Kientzle <tim_at_kientzle.com>
Date: Tue, 24 Feb 2004 16:44:43 -0800
Lanny Baron wrote:
> Hi,
> What I have done in the past for preventing logins via telnet/ssh is to 
> make a script called ftponly and put it in /usr/local/bin and in 
> /etc/shells put a line as /usr/local/bin/ftponly
> 
> The little script for /usr/local/bin/ftponly is:
> 
> #!/bin/sh -p
> echo 'This account is currently available only for FTP access.'
> exit 1
> 
> Of course when you run adduser or pw useradd, you will choose 
> /usr/local/bin/ftponly as their shell.

I'm trying to better understand how people are
really using these facilities, so I have a couple
of questions for you:

1) Why did you put it in /etc/shells?

2) Why did you use "-p"?

(I know what -p does; I'd like to know why you
chose it: did you see an example script somewhere
that you copied it from?)

For those who have followed the "dynamic root"
debate, the security implications of a dynamic
/bin/sh are starting to really worry me.
Some form of NSS daemon that can be invoked
from statically-linked executables is starting
to look *really* desirable.

Tim Kientzle
Received on Tue Feb 24 2004 - 15:48:15 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:44 UTC