I need to set up some (err, a lot) of user accounts for (pop) mail and ftp access purposes. But disallow shell login access. What I can do to achieve this - and it works well - is to create a small script, thus: #!/usr/bin/tail +6 # # /etc/NOSHELL # # Login shell to prevent shell access for user accounts # ######################################################################### # # # Sorry, you do not have login access. # # If you need any special requirements, please contact GrowZone OnLine # # # ######################################################################### ... then add /etc/NOSHELL to the login shell field of /etc/passwd Attempts to login as one of these users works as expected... display of the last few lines, then logs the user back out again. Sweet. For ftp access to work, an entry for /etc/NOSHELL needs to be added to /etc/shells - once done, also sweet. However, I came across this comment in the sendmail FAQ where it talks about allowing users to forward their mail to a program... http://www.sendmail.org/faq/section3.html#3.11 It states: NOTA BENE: DO NOT list /usr/local/etc/nologin in /etc/shells -- this will open up other security problems. Does adding a "noshell" to /etc/shells really open up security holes? If so, what are they? Are there any alternatives to this? Aside: One alternative we are currently using on many of our boxes here is to actually disable telnet in /etc/inetd.conf, and then run sshd/ssh2d as a daemon heavily wrapped in /etc/hosts.{allow,deny} But this approach still begs the question about allowing ftp access and, according to the sendmail FAQ, the security holes this is supposed to create. Cheers Tony -=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=- Tony Nugent <Tony@growzone.com.au> Systems Administrator GrowZone OnLine (a project of) GrowZone Development Network POBox 475 Toowoomba Oueensland Australia 4350 Ph: 07 4637 8322 -=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-