change session's login shell

Gary Algier gaa at ulticom.com
Tue Jul 26 00:34:44 UTC 2011 

On Jul 25, 2011, at 17:24, Tim Nowaczyk <tan7f at virginia.edu> wrote:

> 
> On Jul 25, 2011, at 5:04 PM, Frank Van Damme wrote:
> 
>> 2011/7/25 Jason Clifford <jason at ukpost.com>:
>>> On Mon, Jul 25, 2011 at 2:11 PM, Frank Van Damme <frank.vandamme at gmail.com>
>>> wrote:
>>>> 
>>>> I'd like to change a user's shell based on group membership. The group
>>>> membership is no problem - that's what pam_listfile is for. Changing
>>>> the shell, however, seems non-obvious. I've looked at the source code
>>>> of pam_unix and it provides the path to the users login shell
>>>> according to /etc/passwd, so it should be possible for a pam module to
>>>> set the shell to an arbitrary value, right?
>>> 
>>> No because it's the ssh daemon or the login process that sets the shell.
>> 
>> So they each use their own methods like grepping /etc/passwd, doing
>> ldap lookups, or whatever it takes to come up with a shell - like
>> "nothing" in the case of obscure authentication methods that the
>> application happens to know nothing about?
>> 
> This is out of scope for the pam list, but you should know that you can simply call getpwnam so you don't have to grep /etc/passwd.  Many large installations don't even have most of their users in /etc/passwd, but use NIS or LDAP instead.  getpwnam uses NSS to get all the users/passwords/groups.  Your initial feature request might be able to be implemented by writing a custom NSS module. [1]
> 
> Cheers,
> Tim Nowaczyk
> 
> [1] http://www.gnu.org/s/hello/manual/libc/Extending-NSS.html#Extending-NSS
> 
> 
> --
> Timothy Nowaczyk
> Network Systems Engineer
> University of Virginia - ITC
> tan7f at virginia.edu
> 
> 
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list

Actually this is already handled in most NIS and some LDAP Implementations using a syntax like:
     + at group::::::/bin/myshell    (I may be off on the number of colons).
in the /etc/passwd file.  Read the docs for your platform's passwd file syntax and the nsswitch.conf file.  Solaris can do this, your mileage may vary.

Fat fingered from my iPad -- miscorrections happen.

More information about the Pam-list mailing list