[CentOS] /bin/false as a login shell
John Newbigin
jnewbigin at ict.swin.edu.au
Wed Mar 22 23:59:53 UTC 2006
Kai Schaetzl wrote:
> I see that /bin/false is not a valid shell by default on CentOS. It is
> f.i. on Suse. /bin/false is present, though. Is there a security reason
> for this? man says that nologin gives feedback that the account is not
> available while false just exits false. Anything against just adding
> /bin/false to /etc/shells?
The login shell is used for an interactive login (ssh). Some other
types of login will check to see if the login shell is listed in
/etc/shells before they allow access. I think this is done by pam_shells.
eg:
To give a user ftp only, set their shell to /sbin/nologin (and make sure
that is in /etc/shells)
To have a user with no interactive or ftp, set their shell to /bin/false
and make sure it is not listed in /etc/shells
John.
>
> Kai
>
--
John Newbigin
Computer Systems Officer
Faculty of Information and Communication Technologies
Swinburne University of Technology
Melbourne, Australia
http://www.ict.swin.edu.au/staff/jnewbigin
More information about the CentOS
mailing list