ugh. valid_shells is carefully designed so it can’t be used for this. But doing it in sshd
is probably the right answer.
On Jan 25, 2018, at 3:15 PM, Charles Hedrick via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
looks like the real solution is valid_shells in sssd.conf. That will prevent people from
damaging themselves.
> On Jan 25, 2018, at 3:12 PM, Rob Crittenden <rcritten(a)redhat.com> wrote:
>
> Charles Hedrick via FreeIPA-users wrote:
>> One of my staff made a typo in his shell in “ipa user-mod —shell” It can be hard
to recover from, since you can’t login.
>>
>> Is there a way to restrict what they can use? Traditionally only shells in
/etc/shells were valid.
>
> There is no way currently.
>
> Note that part of the problem is which /etc/shells to use? Remember that
> IPA is centralized and users may be using a number of different
> operating systems. This is why the default shell is /bin/sh, because it
> is nearly universal.
>
> It probably isn't a ton of work to add a new config option to provide a
> set of valid shells so feel free to file an RFE I just don't know that
> this sort of thing would be prioritized.
>
> We could probably help if you want to contribute something.
>
> rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org