Denying /dev/null shell accounts
Scott Walker
scott.walker at magma.ca
Tue Oct 25 22:42:24 CEST 2005
Hi All,
I have requirements that I prevent users with a shell of /dev/null from
authenticating against freeradius server.
Using the rpm provided with RHEL4.0:
radiusd: FreeRADIUS Version 1.0.1
I am using the unix module and pam. /dev/null is not listed as a valid
shell in /etc/shells, and accounts with /dev/null are currently able to
log in (via the DEFAULT entry in the users file). /etc/passwd is not
used and accounts are stored on a ldap server.
users:
DEFAULT Auth-Type = PAM
Service-Type = Framed-User,
Framed-Protocol = PPP,
Ascend-Idle-Limit = 1200,
Ascend-Maximum-Time = 15800
radiusd.conf:
pam {
pam_auth = radiusd
}
/etc/pam.d/radiusd:
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
/etc/shells:
/bin/sh
/bin/bash
/sbin/nologin
/bin/ash
/bin/bsh
/bin/ksh
/usr/bin/ksh
/usr/bin/pdksh
/bin/tcsh
/bin/csh
/bin/zsh
Any ideas around this?
Thanks
More information about the Freeradius-Users
mailing list