login shell not found "bug"

Bob Proulx bob at proulx.com
Sat Mar 24 13:54:45 EST 2007


Craig Bookwalter wrote:
> It turned out that the problem was that my default login shell in
> the NIS passwd file was tcsh, and Ubuntu 6.10 does not come with
> tcsh installed by default. It would have been wonderful if SSH could
> have told me that the reason my login was failing was that my login
> shell didn't exist, rather than just rejecting my password. I
> realize this doesn't happen very often, so it may not be worth
> inserting, but I thought I would at least put it in your hands.

First let me say that I am not one of the OpenSSH developers.  I am
speaking for myself.

Using a shell that is non-existent is a common way for admins to
disable accounts.  I don't know if sshd would have logged any
information to the syslog about it or not but returning an indication
to the user would probably be a security badness.  Because then an
attacker would learn something about the account, that the account
existed but that the shell did not.  That might give an attacker
information that could be used to advantage in breaking into the
system in another way.  The usual wisdom is give no system information
to an unauthorized user.  Therefore probably sshd cannot actually say
why the login is failing to the user logging into the system.

Did any errors get logged to the syslog with this information?  That
would be the right place for it.

This probably won't make you feel any better about it but perhaps it
does explain the situation a little more.  (And also that perhaps it
is time to think about switching to a more standard shell. :-)

Good Luck!
Bob


More information about the openssh-unix-dev mailing list