[CentOS] /bin/false as a login shell

John Newbigin jnewbigin at ict.swin.edu.au
Wed Mar 22 23:59:53 UTC 2006


Kai Schaetzl wrote:

> I see that /bin/false is not a valid shell by default on CentOS. It is 
> f.i. on Suse. /bin/false is present, though. Is there a security reason 
> for this? man says that nologin gives feedback that the account is not 
> available while false just exits false. Anything against just adding 
> /bin/false to /etc/shells?
The login shell is used for an interactive login (ssh).  Some other 
types of login will check to see if the login shell is listed in 
/etc/shells before they allow access. I think this is done by pam_shells.

eg:
To give a user ftp only, set their shell to /sbin/nologin (and make sure 
that is in /etc/shells)
To have a user with no interactive or ftp, set their shell to /bin/false 
and make sure it is not listed in /etc/shells

John.

> 
> Kai
> 


-- 
John Newbigin
Computer Systems Officer
Faculty of Information and Communication Technologies
Swinburne University of Technology
Melbourne, Australia
http://www.ict.swin.edu.au/staff/jnewbigin




More information about the CentOS mailing list