pam_shells

pam_shells.so [debug] [audit] [nolog] [shell=/path/to/shells_file]

debug
    Enable debugging messages in the system log.

audit
    Log the outcome of the authentication attempt via the system's auditing system.

nolog
    Disable the writing of failed authentication attempts to the system log (implies no_warn).

shell=/path/to/shells_file
    Specify an alternate file to use instead of /etc/shells. The path must be absolute.

The pam_shells PAM module is used to determine if a user is allowed to log in based on their shell. It checks if the user's shell is listed in /etc/shells or another file specified in the configuration. If the shell is not listed, the module denies access. This is a security measure to prevent users from logging in with shells that are not intended for interactive use or that might pose a security risk. The module can be configured to silently reject access or to return an error message. It's a simple but effective way to enforce a policy about allowable shells on a system. It only checks the shell specified in the user's account information; it does not affect other PAM authentication mechanisms.

The module only checks the shell specified in the user's account. Changing shell after login is not checked. The file specified by `shell=` must be readable by the module. It's important to ensure that the `/etc/shells` file (or the file specified by `shell=`) contains valid and safe shells.

To enable `pam_shells`, add the following line to the PAM configuration file (e.g., /etc/pam.d/login or /etc/pam.d/sshd):
auth required pam_shells.so
This will require users to have a shell listed in /etc/shells to successfully authenticate.

The /etc/shells file (and any file specified using the shell= option) should contain a list of absolute pathnames, one per line. Blank lines and lines starting with '#' are ignored.

The `pam_shells` module has been part of PAM since its early days, providing a basic security check for user shells. It is a core PAM module and has seen relatively few changes over time, reflecting its simple and reliable function. Its presence indicates a standard security practice of restricting shells to those approved by the system administrator.

login(1), pam(8), shells(5)