How do you prevent non-root users from login into the system? How do you assign user ftp and mail access only? How do you make or set shell to nologin to politely refuse a login?
Fear not, it is easy to deny access to login shell :D . If the file /etc/nologin exists, login will allow access only to root. Other users will be shown the contents of this file and their logins will be refused. However if you need to give ftp or mail access add user shell /sbin/nologin.
Redhat (RHEL)/Fedora core/Cent OS specific example
For example allow user tom to use ftp and mail but no shell access. Use usermod command to setup new shell:
# usermod -s /sbin/nologin tom
You can also edit the /etc/passwd file and change the shell
Following program will not affected by this shell (/sbin/nologin):
- FTP clients
- mail clients
- many setuid programs
Please note that it prevents access to the shell and logs the attempt. All of the following programs are prevented from accessing the user account:
- gdm/kdm/xdm (graphical login)
- ssh/scp/sftp etc
Debian / Ubuntu Linux specific example
Use /bin/false shell under Debian / Ubuntu Linux(do nothing, unsuccessfully login). To make shell nologin under Debian / Ubuntu for tom user, use :
$ sudo usermod -s /bin/false tom
# sudo usermod -s /bin/false tom
Caution: Do not set root user shell to /sbin/nologin or /bin/false.