Kai Schaetzl wrote:
I see that /bin/false is not a valid shell by default on CentOS. It is f.i. on Suse. /bin/false is present, though. Is there a security reason for this? man says that nologin gives feedback that the account is not available while false just exits false. Anything against just adding /bin/false to /etc/shells?
The login shell is used for an interactive login (ssh). Some other types of login will check to see if the login shell is listed in /etc/shells before they allow access. I think this is done by pam_shells.
eg: To give a user ftp only, set their shell to /sbin/nologin (and make sure that is in /etc/shells) To have a user with no interactive or ftp, set their shell to /bin/false and make sure it is not listed in /etc/shells
John.
Kai