[99494] in RedHat Linux List
Re: radius (was: Re: Keeping certain users out....)
daemon@ATHENA.MIT.EDU (Ramon Gandia)
Sat Nov 14 23:22:09 1998
Date: Sat, 14 Nov 1998 19:18:09 -0900
From: Ramon Gandia <rfg@nook.net>
To: redhat-list@redhat.com
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
Charles Galpin wrote:
>
> Ramon
>
> On my vanilla RH5.1 system, /bin/false is not in /etc/shells. Does this mean
> these accounts can somehow login? It makes sense to me that my own user
> defined shell would need to be in /etc/shells to work, but I'm not sure of
> the significance of a shell that you intend to not allow access, not being
> in /etc/shells.
>
> hope that last sentence was readable.
Look in /bin, and see if "false" is there. I.e., /bin/false.
In my case, /bin/false existed, but was not listed in /etc/shells.
If you have /bin/false, just add it to /etc/shells.
Likewise, you can add the /usr/bin/whatever to /etc/shells so
it runs when a user authenticates. It takes a REAL shell before
he can DO anything. /bin/false will merely exit him.
There is no magic on /bin/false. See my prior post. You could
have a 0 byte file there and it should work. Or something that
prints a nasty message to HIM, like "You do not have a shell
account on this computer."
With any of these shenanigans, he just gets the login prompt
right back. However, the crucial difference is that as far
as RADIUS is concerned, he actually is authenticated. No shell,
but he is authenticated. So your portmaster will log him in for
A PPP session but not for a shell session.
YOu don't think I give shell accounts to my users, do you? They
all have /bin/false for shell. But since they are listed in
/etc/passwd, /etc/group and /etc/shadow, then the RADIUS server
logs them in. YOu need the statement Password = System or
Password = UNIX in your /etc/raddb/users file for Radius.
--
Ramon Gandia ==== Sysadmin ==== Nook Net ==== http://www.nook.net
285 West First Avenue rfg@nook.net
P.O. Box 970 tel. 907-443-7575
Nome, Alaska 99762-0970 ======================= fax. 907-443-2487
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.
