[Samba] Advice on: sshd[28182]: PAM pam_set_item: NULL

Andrew Bartlett abartlet at pcug.org.au
Tue Feb 19 17:44:19 GMT 2002

Mac wrote:
> >From: Andrew Bartlett <abartlet at pcug.org.au>
> >Subject: Re: [Samba] Advice on: sshd[28182]: PAM pam_set_item: NULL pamhandlepassed
> >Date: Tue, 19 Feb 2002 06:30:20 +1100
> >
> >Andrew Bartlett wrote:
> >>
> >> Mark Cooke wrote:
> >> >
> >> > And the error is still there, is the problem fixed in a newer version? or
> >> > could it be something else as you mentioned?
> >>
> >> I'm assuming its a OpenSSH problem - as the basic function calls work
> >> for other applications.  I need to chase this down.
> >
> >(and once again for the list - sombody will find this useful in the
> >archives).
> >
> >OpenSSH rejects as 'invalid' all users with shells not found in
> >/etc/shells.  It isn't particularly verbose about it either.  Winbind's
> >default shell is /bin/false, hence this little issue.  Set it to /bin/sh
> >if you want to allow SSH logins (template shell = /bin/sh)
> >
> A possibly neater solution if you don't want to give real shell accounts
> to the users is to add '/bin/false' to the end of /etc/shells instead.
> If necessary, you could make a copy of /bin/false to (say) /bin/false-shell
> and add that to /etc/shells instead, and then use that in /etc/passwd

OK, now think about what you just wrote.  Think about it again, and
consider what would happen even if OpenSSH were to allow a login to such
a /bin/false-shell account.  Remember that OpenSSH (like all good login
programs) executes all commands via the specified login shell.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list