nologin – Refuse a login to a user, and make a note of it in syslog
A short while ago, I installed mergemaster as part of my 3.1 upgrade. Today I started hunting around /usr/ports/sysutils, found nologin and decided to install it. As the long description of the port says, this is suitable for use as a "login shell" for a user that you want to temporarily deny access to. Just set that user’s shell to /usr/local/sbin/nologin.Note the this port should not be confused with the utility provided with FreeBSD as /sbin/nologin. That utility will display the following message after the user logs in but does not log the attempt:
This account is currently not available.
See the notes below for more information on how this feature can be used to create FTP only or email only accounts.
Installing nologin
As I already had the entire ports tree, here’s what I did to install nologin:# cd /usr/ports/sysutils/no-login # make>> nologin.c doesn't seem to exist on this system. >> Attempting to fetch from ftp://ftp.xmission.com/pub/users/s/softweyr/pub/. >> nologin.8 doesn't seem to exist on this system. >> Attempting to fetch from ftp://ftp.xmission.com/pub/users/s/softweyr/pub/. ===> Extracting for nologin-1.0 >> Checksum OK for nologin/nologin.c. >> Checksum OK for nologin/nologin.8. for FILE in nologin.c nologin.8 ; do /bin/cp /usr/ports/distfiles/nologin/${FILE} /usr/ports/sysutils/no-login/work /bin/cp /usr/ports/sysutils/no-login/files/Makefile /usr/ports/sysutils/no-login/work ===> Patching for nologin-1.0 ===> Configuring for nologin-1.0 ===> Building for nologin-1.0 cc -O -pipe -c nologin.c cc -O -pipe -o nologin nologin.o# make install===> Installing for nologin-1.0 install -c -s -o root -g wheel -m 555 /usr/ports/sysutils/no-login/work/nologin /usr/local/sbin install -c -o root -g wheel -m 444 /usr/ports/sysutils/no-login/work/nologin.8 /usr/local/man/man8 ===> Generating temporary packing list ===> Compressing manual pages for nologin-1.0 ===> Registering installation for nologin-1.0
Then run vipw and set the user’s shell to be /usr/local/sbin/nologin. Here’s what such an entry might look like:
sam:o1kkDjmI:1076:1036::1:0:Testing:/home/sam:/usr/local/sbin/nologin
When this use next tries to login, they will get the usual login message, then they will be disconnected and not recieve a shell prompt. In your system logs you will find something like this:
Mar 9 19:04:20 ns nologin: sam on /dev/ttyp2
I’d actually like to see this port combined with with /sbin/nologin to produce something which displays a message that an account is not available, exits, and logs a message.
Additional notes about this feature (added on 13 April 2000)
Note
that the solution described in this article will also disable ftp access. If you
want to allow ftp access (as in create an FTP only login, then I suggest you use /sbin/nologin
instead and list that shell within /etc/shells. Instead, you could list /usr/local/sbin/nologin
in /etc/shells but that would allow ftp access for everyone with that shell.
That may not be appropriate for your situation. You decide.
2 Responses to “nologin – Refuse a login to a user, and make a note of it in syslog”
Leave a Reply
Thanks for a very helpful page – I had spent quite some time trying to figure out how one made would make "FTP Only" account.
After reading I got the idea to take a "nologin"-shell and copy it to a new shell "nologin_ftponly" and then include this name in /etc/shells – so one has a neat shell with the right name for FTP Only users.
That renaming is a very good tip. And one I’ve seen elsewhere.
IDEA: instead of copying it, try a symlink.