[techtalk] Hi.I'm new.Postfix/mail server questions...

[Penguina]

Mary:
>At the same time, some boxes probably do need to have a message to let people
>know they can't have shell when they log in.

yup.

Kai:
>> (Probably the "real C programmer" way to do it would be to have just one
>> script, with a variety of canned messages, that checked what name it had
>> been invoked under and displayed the appropriate message. Then make all
>> those names be symlinks to the one script. But I have no clue how to do
>> that in C.)

nope.

>But the problem was that it might, for instance, buffer overrun, or not
catch
>SIGINT correctly, which requires more C knowledge than:
>printf("Sorry, you don't live here no more.");

yup.

Determining a users' status and reporting in conjunction with
(failed) authentication is possibly more secure than running a
script-not-a-shell in a session established after (incorrectly
successful) authentication.

What you're looking for is a PAM lockout module that is more
sophisticated than the current implementation of pam_deny.c --
something more along the lines of pam_mail.c, in that pam_mail.c
checks on user-unique stuff and reports it back to the user.

You could call it pam_because.c as in "you're locked out of your
account BECAUSE..."

Then you'd just need a place to store your reasons (pretexts,
excuses, blatant lies...whatever.  You're the sysadmin).
You've got a few choices: flat files, a relational database,
an hierarchical database, a structured file (e.g. text data
delimited with xml tags).  because.conf because.db, because.ldp
or because.xml -- take your pick.

After all, the reasons we give for our decisions are almost
as important as the decisions themselves.  If we couldn't
tell people our reasons, then what room would there be to
dissemble?