nologin – Refuse a login to a user, and make a note of it in syslog
A short while ago, I installed mergemaster as
part of my 3.1 upgrade. Today I started hunting around /usr/ports/sysutils,
found nologin and decided to install it. As the long description of the
port says, this is suitable for use as a "login shell" for a user that you
want to temporarily deny access to. Just set that user’s shell to /usr/local/sbin/nologin.
Note
the this port should not be confused with the utility provided with FreeBSD as /sbin/nologin.
That utility will display the following message after the user logs in but does not log
the attempt:
This account is currently not available.
See the notes below for more information on how this feature can
be used to create FTP only or email only accounts.
Installing nologin
As I already had the entire ports tree, here’s what I did
to install nologin:
# cd /usr/ports/sysutils/no-login # make>> nologin.c doesn't seem to exist on this system. >> Attempting to fetch from ftp://ftp.xmission.com/pub/users/s/softweyr/pub/. >> nologin.8 doesn't seem to exist on this system. >> Attempting to fetch from ftp://ftp.xmission.com/pub/users/s/softweyr/pub/. ===> Extracting for nologin-1.0 >> Checksum OK for nologin/nologin.c. >> Checksum OK for nologin/nologin.8. for FILE in nologin.c nologin.8 ; do /bin/cp /usr/ports/distfiles/nologin/${FILE} /usr/ports/sysutils/no-login/work /bin/cp /usr/ports/sysutils/no-login/files/Makefile /usr/ports/sysutils/no-login/work ===> Patching for nologin-1.0 ===> Configuring for nologin-1.0 ===> Building for nologin-1.0 cc -O -pipe -c nologin.c cc -O -pipe -o nologin nologin.o# make install===> Installing for nologin-1.0 install -c -s -o root -g wheel -m 555 /usr/ports/sysutils/no-login/work/nologin /usr/local/sbin install -c -o root -g wheel -m 444 /usr/ports/sysutils/no-login/work/nologin.8 /usr/local/man/man8 ===> Generating temporary packing list ===> Compressing manual pages for nologin-1.0 ===> Registering installation for nologin-1.0
Then run vipw and set the user’s shell to be /usr/local/sbin/nologin.
Here’s what such an entry might look like:
sam:o1kkDjmI:1076:1036::1:0:Testing:/home/sam:/usr/local/sbin/nologin
When this use next tries to login, they will get the usual login message, then they
will be disconnected and not recieve a shell prompt. In your system logs you will
find something like this:
Mar 9 19:04:20 ns nologin: sam on /dev/ttyp2
I’d actually like to see this port combined with with /sbin/nologin to
produce something which displays a message that an account is not available, exits, and
logs a message.
Additional notes about this feature (added on 13 April 2000)
prevent POP. If someone knows how to prevent that, please add your comments.
Note
that the solution described in this article will also disable ftp access. If you
want to allow ftp access (as in create an FTP only login, then I suggest you use /sbin/nologin
instead and list that shell within /etc/shells. Instead, you could list /usr/local/sbin/nologin
in /etc/shells but that would allow ftp access for everyone with that shell.
That may not be appropriate for your situation. You decide.
2 thoughts on “nologin – Refuse a login to a user, and make a note of it in syslog”
Leave a Comment
You must be logged in to post a comment.
Thanks for a very helpful page – I had spent quite some time trying to figure out how one made would make "FTP Only" account.
After reading I got the idea to take a "nologin"-shell and copy it to a new shell "nologin_ftponly" and then include this name in /etc/shells – so one has a neat shell with the right name for FTP Only users.
That renaming is a very good tip. And one I’ve seen elsewhere.
IDEA: instead of copying it, try a symlink.