[Solved] Modify default_shell = /sbin/nologin

NethServer Version: NS7
Module: NethServer::SSSD
Good morning, i have a question. We do not want to allow users to even have sftp-server as default_shell and in /etc/sssd/sssd.conf i see:
default_shell = /usr/libexec/openssh/sftp-server
I would like to change this:
default_shell = /sbin/nologin
But not sure how as it says do not modify.
Any ideas how i can do this?
Thank you :slight_smile:

You may create a custom template /etc/e-smith/templates-custom/etc/sssd/sssd.conf/01provider_config_shell with following content:

{
    #
    # 01provider_config_shell - customized
    #

    $provider_config .= "default_shell = /sbin/nologin\n";
    '';
}

To apply the config:

signal-event nethserver-sssd-update

I never tested this and I don’t know if there’s some negative impact on the Nethserver functions so please try in a test environment first.

An alternative method could be to disable the sftp subsystem in sshd:

config setprop sshd SubsystemSftp no
signal-event nethserver-sssd-update

For changing existing users shell there’s phpldapadmin, LAM or ldapmodify/ldbmodify on command line.

Thank you for the help, alas, it did not work. It did modify /etc/sssd/sssd.conf with:
default_shell = /sbin/nologin
but in testing still ran the sftp-server shell it seems.
I tried the ldap-account-manager and that old how to is failing now. Unclear what is issue.
in /var/log/httpd/error.log:
PHP Fatal error: Arrays are not allowed in class constants in /usr/share/ldap-account-manager/lib/lists.inc on line 113, referer: http://X.X.X.X/lam/
Seems the version of php at 5.4 may be too old so i install rh-php56-ldap and pear still same issue.

For testing you could create a new user and see if it works.

Please use phpldapadmin to change the shell, it works for AD too. I am going to check if LAM still works.

Did you try the alternative method?

No i have not tried the alt method yet, i will test. Thank you and i will try the phpldapadmin.

Ok i tested the alt method and still did not work even with new user:
Last login: Tue Apr 2 14:40:37 2019 from X.X.X.X
************ Welcome to NethServer ************

This is a NethServer installation.

Before editing configuration files, be aware
of the automatic events and templates system.

      http://docs.nethserver.org

quit
I will go try phpldapadmin. Let me know if you get LAM to work. Thank you for all you help :slight_smile:

The alternative method just does not allow SFTP connections.

SSH is not allowed by default (user sees login but can’t do anything) but could be enabled per user in web UI.

Hello again,
Is this then what i should see?
Remote to server and issue:
[root@adtest httpd]# config setprop sshd SubsystemSftp no
[root@adtest httpd]# signal-event nethserver-sssd-update
[root@adtest httpd]#
in another terminal
ssh booger@
booger@'s password:
Last login: Tue Apr 2 14:41:36 2019 from 10.60.2.10

************ Welcome to NethServer ************

This is a NethServer installation.

Before editing configuration files, be aware
of the automatic events and templates system.

      http://docs.nethserver.org

quit
Connection to closed.

I still have not done the phpldapadmin as yet. Thank you again.

Yes, that’s for SSH.
When you connect with an sftp client you can’t connect with a user.

Success :slight_smile: At least i hope for our needs.
Following your work in latest LAM 6.7 How To
i was able to install LAM and modify user login shell to /sbin/nologin
Testing yielded:
ssh mike@x.x.x.x
mike@x.x.x.x’s password:
Last login: Tue Apr 2 13:29:18 2019 from x.x.x.x

************ Welcome to NethServer ************

This is a NethServer installation.

Before editing configuration files, be aware
of the automatic events and templates system.

      http://docs.nethserver.org

This account is currently not available.
Connection to x.x.x.x closed.

This looks correct to me. Thank you.