[Samba] Advice on: sshd[28182]: PAM pam_set_item: NULL

Andrew Bartlett abartlet at pcug.org.au
Tue Feb 19 17:44:19 GMT 2002


Mac wrote:
> 
> >From: Andrew Bartlett <abartlet at pcug.org.au>
> >Subject: Re: [Samba] Advice on: sshd[28182]: PAM pam_set_item: NULL pamhandlepassed
> >Date: Tue, 19 Feb 2002 06:30:20 +1100
> >
> >Andrew Bartlett wrote:
> >>
> >> Mark Cooke wrote:
> >> >
> >> > And the error is still there, is the problem fixed in a newer version? or
> >> > could it be something else as you mentioned?
> >>
> >> I'm assuming its a OpenSSH problem - as the basic function calls work
> >> for other applications.  I need to chase this down.
> >
> >(and once again for the list - sombody will find this useful in the
> >archives).
> >
> >OpenSSH rejects as 'invalid' all users with shells not found in
> >/etc/shells.  It isn't particularly verbose about it either.  Winbind's
> >default shell is /bin/false, hence this little issue.  Set it to /bin/sh
> >if you want to allow SSH logins (template shell = /bin/sh)
> >
> 
> A possibly neater solution if you don't want to give real shell accounts
> to the users is to add '/bin/false' to the end of /etc/shells instead.
> 
> If necessary, you could make a copy of /bin/false to (say) /bin/false-shell
> and add that to /etc/shells instead, and then use that in /etc/passwd

OK, now think about what you just wrote.  Think about it again, and
consider what would happen even if OpenSSH were to allow a login to such
a /bin/false-shell account.  Remember that OpenSSH (like all good login
programs) executes all commands via the specified login shell.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net




More information about the samba mailing list