nologin is listed in /etc/shells since 2002 [1].
This seems like a extraordinary mistake, and I agree with Jonathan
Kamens' comment on the original ticket [1]. I note that his concerns
were never adequately answered; the only response was a hand-wavy "well
we did it and it doesn't seem to have broken".
As an administrator, I would expect setting a user's shell to nologin
to prevent all access to the system. As an example of where this
expectation fails if nologin is listed in /etc/shells: vsftpd allows
access to a "nologin" user (it uses pam_shells).
I've read and re-read the original RFE [2]. The argument advanced for
the change is "so that 'chsh' and other tools will allow its use without
manual edit of /etc/passwd". I have no idea if that was true of chsh
in RedHat 7.3, but in Fedora 24 chsh allows root to set any shell at
all, with a warning if it doesn't exist, or isn't in /etc/shells.
With nologin absent from /etc/shells, non-root users are prevented
from using chsh to change their own shell to nologin, but this seems
like a feature not a bug. I can imagine in my student days "chsh -s
/sbin/nologin; clear" would have seemed like the ideal prank to type
into an unattended terminal!
Can anyone name the "other tools" that R P Herrold might have had in
mind? I've found system-config-users which only allows setting a shell
listed in /etc/shells. One remedy would be for system-config-users to
follow the lead of chsh, and allow any shell to be set with a warning.
[1]
https://bugzilla.redhat.com/show_bug.cgi?id=53963#c6
[2]
https://bugzilla.redhat.com/show_bug.cgi?id=53963#c0
Toby.