Date: Wed, 10 Dec 2008 10:02:24 -0600 From: Dan Nelson <dnelson@allantgroup.com> To: "Dan Mahoney, System Admin" <danm@prime.gushi.org> Cc: questions@freebsd.org Subject: Re: How to block NIS logins via ssh? Message-ID: <20081210160222.GB82227@dan.emsphone.com> In-Reply-To: <alpine.BSF.2.00.0812100440400.49382@prime.gushi.org> References: <alpine.BSF.2.00.0812100440400.49382@prime.gushi.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Dec 10), Dan Mahoney, System Admin said: > I'm noticing that when following the directions given here: > > http://www.freebsd.org/doc/en/books/handbook/network-nis.html > > For how to disable logins, the recommended action is to set the shell to > /sbin/nologin. > > However, this is sloppy as it allows the user to log in, get the > motd, do everything short of getting a shell. > > I've tried starring out the password in the +::::::::: entry, (and > putting in a "bad" password, like x), and those don't seem to work. > I am still able to connect via sshd and prove that the account works. By default, the passwd field is ignored in an NIS + or - line. It looks like if you rebuild libc with PW_OVERRIDE_PASSWD=1, you will get the behaviour you're looking for (see the compat_set_template function in src/lib/libc/gen/getpwent.c). -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081210160222.GB82227>