change session's login shell
Tim Nowaczyk
tan7f at virginia.edu
Mon Jul 25 21:24:50 UTC 2011
On Jul 25, 2011, at 5:04 PM, Frank Van Damme wrote:
> 2011/7/25 Jason Clifford <jason at ukpost.com>:
>> On Mon, Jul 25, 2011 at 2:11 PM, Frank Van Damme <frank.vandamme at gmail.com>
>> wrote:
>>>
>>> I'd like to change a user's shell based on group membership. The group
>>> membership is no problem - that's what pam_listfile is for. Changing
>>> the shell, however, seems non-obvious. I've looked at the source code
>>> of pam_unix and it provides the path to the users login shell
>>> according to /etc/passwd, so it should be possible for a pam module to
>>> set the shell to an arbitrary value, right?
>>
>> No because it's the ssh daemon or the login process that sets the shell.
>
> So they each use their own methods like grepping /etc/passwd, doing
> ldap lookups, or whatever it takes to come up with a shell - like
> "nothing" in the case of obscure authentication methods that the
> application happens to know nothing about?
>
This is out of scope for the pam list, but you should know that you can simply call getpwnam so you don't have to grep /etc/passwd. Many large installations don't even have most of their users in /etc/passwd, but use NIS or LDAP instead. getpwnam uses NSS to get all the users/passwords/groups. Your initial feature request might be able to be implemented by writing a custom NSS module. [1]
Cheers,
Tim Nowaczyk
[1] http://www.gnu.org/s/hello/manual/libc/Extending-NSS.html#Extending-NSS
--
Timothy Nowaczyk
Network Systems Engineer
University of Virginia - ITC
tan7f at virginia.edu
More information about the Pam-list
mailing list