chsh

Set a specific login shell for the current user interactively

$ chsh

$ chsh [[-l|--list-shells]]

$ chsh [[-s|--shell]] [path/to/shell]

$ sudo chsh [[-s|--shell]] [path/to/shell] [username]

chsh [options] [username]
chsh -l
chsh -s SHELL [username]

-s, --shell SHELL
    Specifies the absolute path to the new login shell. The SHELL must be an executable and typically must be listed in the /etc/shells file for security validation.

-l, --list-shells
    Lists all available login shells that are currently permitted on the system. These shells are read from the /etc/shells file.

-u, --user USER
    Used exclusively by the root user to specify the login name of the user whose shell is to be changed. Regular users cannot use this option.

-h, --help
    Displays a brief help message explaining the command's usage and exits.

-v, --version
    Displays version information for the command and exits.

The chsh command, short for "change shell," allows a user to change their login shell. The login shell is the program that runs immediately after a user logs into a system and interprets commands.

When executed by a regular user, chsh prompts for the user's current password to ensure authenticity and prevent unauthorized changes. Upon successful authentication, the user is prompted to enter the absolute path to the new desired shell.

For security reasons, chsh typically only permits users to specify shells that are explicitly listed in the /etc/shells file. This measure prevents users from setting arbitrary or potentially malicious programs as their login shell. If the specified shell is not in /etc/shells, the command will usually refuse the change.

The root user, however, possesses the privilege to change the login shell for any user on the system without requiring that user's password. Changes made by chsh take effect the next time the user logs in to the system.

The shell specified with chsh must be an existing executable on the system and, for security, typically must be present in the /etc/shells file. Setting an invalid, non-existent, or unlisted shell can lead to a user being unable to log in. For regular users, a password prompt ensures proper authentication before a shell change is permitted. Changes made by chsh do not take effect immediately but only upon the next successful login.

This plain text file is central to the security and operation of chsh. It contains a list of all valid login shells that are allowed on the system, with each shell's absolute path on a new line (e.g., /bin/bash, /usr/bin/zsh). When a user attempts to change their shell, chsh consults this file to ensure the requested shell is sanctioned. This mechanism prevents users from assigning arbitrary programs (which could be insecure or malicious) as their default shell, thus bolstering system security.

On modern Linux systems, chsh leverages PAM for its authentication process. PAM provides a modular framework that allows system administrators to configure various authentication methods (such as local passwords, LDAP, Kerberos, or multi-factor authentication) without altering the command's source code. The specific authentication policy for chsh is defined in its PAM configuration file, typically located at /etc/pam.d/chsh, which dictates how a user's identity is verified before a shell change is permitted.

chsh is a fundamental utility present on virtually all Unix-like operating systems, reflecting its importance in user account management. On many Linux distributions, it is part of the shadow-utils package, which provides a suite of tools for secure user and group account administration. Its core functionality of modifying the user's shell entry in the system's password database (e.g., /etc/passwd or via NSS/PAM) has remained consistent for decades, serving as a standard method for users to customize their login environment.

passwd(1), chfn(1), usermod(8), login(1), shells(5)