> > I have traced this to where the login program starts the shell (not > > using gdb, mind you, some of this is speculation): > > > > shell (pwent.pw_shell, (char *) 0); /* exec the shell finally. */ > > If you want a shell you need a valid uid. Without such you > have no system > privileges at all. > > Do you really need *every* user to have shell access? yes, but not to the traditional shell, but rather a captive program. > What is your aversion to have an entry in a valid getpw data source? problem is, if you support RADIUS, local login, LDAP, etc., you effectively have many databases containing user credentials. the restriction requiring a shell means that each time an admin person adds a user to RADIUS, they need to add a user to /etc/passwd. If they don't, you cannot log in. Maybe this becomes a hard requirement, but it seems ugly. One idea would be to map a set of RADIUS users to an /etc/passwd user, provided you don't care about priv. separation with different UIDs. /jc _____ DISCLAIMER: The information contained in this e-mail is confidential and is intended solely for the review of the named addressee, and in conjunction with specific Acopia Networks business. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you are unable to treat this information accordingly, or are not the intended recipient, please notify us immediately by returning the e-mail to the originator. _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
