nologin – Refuse a login to a user, and make a note of it in syslog

nologin – Refuse a login to a user, and make a note of it in syslog

A short while ago, I installed mergemaster as part of my 3.1 upgrade.  Today I started hunting around /usr/ports/sysutils, found nologin and decided to install it.  As the long description of the port says, this is suitable for use as a "login shell" for a user that you want to temporarily deny access to. Just set that user’s shell to /usr/local/sbin/nologin.

Note the this port should not be confused with the utility provided with FreeBSD as /sbin/nologin.  That utility will display the following message after the user logs in but does not log the attempt:

This account is currently not available.

See the notes below for more information on how this feature can be used to create FTP only or email only accounts.

Installing nologin

As I already had the entire ports tree, here’s what I did to install nologin:

# cd /usr/ports/sysutils/no-login
# make

>> nologin.c doesn't seem to exist on this system.
>> Attempting to fetch from 
                     ftp://ftp.xmission.com/pub/users/s/softweyr/pub/.
>> nologin.8 doesn't seem to exist on this system.
>> Attempting to fetch from 
                     ftp://ftp.xmission.com/pub/users/s/softweyr/pub/.
===>  Extracting for nologin-1.0
>> Checksum OK for nologin/nologin.c.
>> Checksum OK for nologin/nologin.8.
for FILE in nologin.c nologin.8 ; do /bin/cp 
                                 /usr/ports/distfiles/nologin/${FILE}
                                 /usr/ports/sysutils/no-login/work
/bin/cp /usr/ports/sysutils/no-login/files/Makefile
                                 /usr/ports/sysutils/no-login/work
===>  Patching for nologin-1.0
===>  Configuring for nologin-1.0
===>  Building for nologin-1.0
cc -O -pipe   -c nologin.c
cc -O -pipe    -o nologin nologin.o

# make install

===>  Installing for nologin-1.0
install -c -s -o root -g wheel -m 555 
        /usr/ports/sysutils/no-login/work/nologin /usr/local/sbin
install -c -o root -g wheel -m 444 
     /usr/ports/sysutils/no-login/work/nologin.8 /usr/local/man/man8
===>   Generating temporary packing list
===>   Compressing manual pages for nologin-1.0
===>   Registering installation for nologin-1.0

Then run vipw and set the user’s shell to be /usr/local/sbin/nologin.   Here’s what such an entry might look like:

sam:o1kkDjmI:1076:1036::1:0:Testing:/home/sam:/usr/local/sbin/nologin

When this use next tries to login, they will get the usual login message, then they will be disconnected and not recieve a shell prompt.  In your system logs you will find something like this:

Mar  9 19:04:20 ns nologin: sam on /dev/ttyp2

I’d actually like to see this port combined with with /sbin/nologin to produce something which displays a message that an account is not available, exits, and logs a message.

Additional notes about this feature (added on 13 April 2000)

The nologin feature prevents someone from logging in.  It does not prevent POP.  If someone knows how to prevent that, please add your comments.

Note that the solution described in this article will also disable ftp access.  If you want to allow ftp access (as in create an FTP only login, then I suggest you use /sbin/nologin instead and list that shell within /etc/shells.  Instead, you could list /usr/local/sbin/nologin in /etc/shells but that would allow ftp access for everyone with that shell.   That may not be appropriate for your situation.  You decide.