netbsd-help: Re: Restricting remote access for a user

Subject: Re: Restricting remote access for a user
To: Andy R <quadreverb@yahoo.com>
From: Jeremy C. Reed <reed@reedmedia.net>
List: netbsd-help
Date: 08/14/2002 08:16:19

(Andy, I also posted back to the list. It may benefit others or someone
can share more advice. Your off-list comments to me are removed.)

To switch user to a user who doesn't have a login shell, I suggested using
the -m switch with su(1).

This needs to be done as the superuser: "su -m username-here".

Or "man su" which says that the shell needs to be a valid getusershell(3)
shell if -m used by normal user.

So create an executable valid shell, like:
$ cat /usr/local/sbin/nologin
#!/usr/bin/tail -1
No shell access

$ chmod a+rx /usr/local/sbin/nologin

And add new shell (/usr/local/sbin/nologin) to /etc/shells (assuming that
your getusershell(3) uses it).

Then the "su -m username" will work for normal users.

Note that this will now allow FTP logins, so to stop FTP then look at
ftpusers(5). Also, look at sshd configs to stop sshd login for particular
user.

   Jeremy C. Reed
   http://bsd.reedmedia.net/