SUMMARY: solved: minus sign in passwd file ignored...

From: Mike McFaul (
Date: Fri Nov 08 1991 - 00:49:36 CST

Here's my original post:

> I'm trying to block a single user from using one of our machines. The
> machines are running 4.1.1b and NIS. The machine's passwd file
> contains a '+::0:0:::' at the end of it to allow all NIS users access.
> Well I re-read the man page for the passwd file (many times I might
> add) and it implies that I can add '-user:' to the passwd file and
> block this guy. Well it only seems to work when I remove the '+'
> record. This is not what I want... Once I remove the '+' record no NIS
> user can access the machine anyway! I really don't want to have to
> specify all other NIS users with individual '+' records, this would be
> a pain to keep updated!
> Am I missing something here? Or is it a bug...

The summary:

Ok here's how to block a user -- well actually here are lots of ways
to block a user! My problem was caused by not supplying enough in the
'-' entry, '-user:' isn't good enough, but '-user::0:0:::' is. Also
the uid and gid fields can be any number.

There are two main ways to do it, one is to not let the guy on and the
second is to let him/her on but change the shell. Both methods work in
environments with and without NIS.

The "Don't Let The Guy on" method:

   This method consists of changing the password to a '*' or other
printable string of characters -- eg:

These '+' entries have to be before the final '+::0:0:::'

1. +user:*: -- this means the guy can't telnet in, but if he/she
                     can login to a trusted host (a host in
                     /etc/hosts.equiv), then rlogin lets him/her in.

2. -user::0:0::: -- this one stops telnets and rlogins, note the uid
                     and gid fields are filled in -- they must be
                     filled in for it to work (any digits work).

3. Make a copy of the users NIS passwd entry and insert it into
   the passwd file, then change the passwd to '*' this doesn't
   stop the 'rlogin' from a trusted host. Note there is no '+' or '-'
   ahead of the name, the entry is 'local'.

The "Change The Shell" method:

   This method consists of changing the shell of the user to something
that might just log them off, or print a message and log them off --

These '+' entries have to be before the final '+::0:0:::'

1. +user:::::/bin/true -- just exits on the guy

2. +user:::::/bin/nologin -- see below for examples of nologin shells

3. make a copy of the users NIS passwd entry and insert it into
   the passwd file, then change the users' shell. Remember, no '+' or '-'

Examples of the "nologin" shell:

From: <> Doug Neuhauser

   #! /bin/csh -f
   echo "You can not login on this system."
   exit 1

From: <lemke@MITL.COM> Kennedy Lemke

   trap "exit 0" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
   (/bin/date;echo "User $USER logged into `hostname`") | /usr/ucb/mail -s "login" $ADMIN
   echo ""
   echo "Login access to `hostname` is restricted for user $USER"
   echo "Contact Kennedy if you need to be able to log into this machine"
   echo ""
   sleep 5
   exit 0

From: <> Charles Foley

   /usr/bin/echo 'User access denied.'


There may be other ways that I haven't seen or permutations on these. There's the
double kill method which combines the two distinct methods. There were 35 responses
in around 12 hours... good action if you ask me...

Thanks go out to:

zeke@mpl.UCSD.EDU (Rob Scott) (Duc Vu) (Judy Russell) (John Stanley)
Sjoerd Mullender <> (Doug Neuhauser)
dan@BBN.COM (Bob Cunningham)
lemke@MITL.COM (Kennedy Lemke) ( Michael Maciolek)
Jonathan Corbet <corbet@stout.atd.ucar.EDU> (Jim Hendrickson x7348 M233) (Sam Finn) (James Ganong) (Bill Duncan)
johnb@edge.CIS.McMaster.CA (John Benjamins)
kpc!!cdr@uunet.UU.NET (Carl Rigney)
deltam!dm!mark@uunet.UU.NET (mark galbraith) (Ian Reddy) (Casper H.S. Dik) (Charles Foley)
long-morrow@CS.YALE.EDU (Eckhard Rueggeberg) (Guy Boudreault)
"Matt Crawford" <> (William LeFebvre)
VINCE@UCONNVM.UCONN.EDU (Karl Morgan) (Alek O. Komarnitsky) (Peter Gross) (John M. Blasik) (Dan Mosedale)
"Andrew Luebker" <>

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:17 CDT