nologin vs false

What's the best way to disable a Linux user account?

2020-03-05
2 minutes

When disabling a user account on a Linux box, it is good practice to also change the shell to something which, well, isn’t a shell. The point of these shells is rather than presenting the user with a prompt to execute further commands, it returns a failure code, and log out the user.

If you look around, people recommend a couple different things to set as the user’s shell: /bin/nologin and /bin/false. Not once have I seen someone say why to use either, nor what the differences are.

#/bin/false

false is a foundational part of the shell. It’s an incredibly simple application which does nothing but exit.

Even the source code is simple: false.c

The source code itself is slightly misleading. false is actually an extension of true, but with a different return code. false returns status code 1, whilst true return 0.

The real logic actually lives there: true.c

Both true and false are incredibly simple, even if you know nothing about C. And as a result are incredibly fast.

#/bin/nologin

nologin is designed to do exactly what we want it to. It’s specifically designed to prevent login by being set as a user’s shell.

nologin does a little more than false, but it’s still very simple code to read: nologin.c

Once executed, nologin will try to read /etc/nologin.txt to get a custom message to show the user. If it exists, it prints that and exits with code 1. If it doesn’t exist, it shows the default message, and exits with code 1. This customization makes it much more user-friendly, although because the file is global, one system can only have one configured message.

#rssh

rssh is a unique shell. Rather than executing commands, like bash, it allows filtering of specific SSH uses down to exactly what’s needed. For example, you can block all access unless it’s SCP.

rssh is a much larger application compared to false and nologin, but it’s still not especially complex code.

#Which should I use?

Realistically, it doesn’t really matter. The point of a disabled prompt is to exit with a fail quickly, which both false and nologin do. So long as you block access, it really doesn’t matter how.

If you’re hyper paranoid, use false, as it’s simpler and smaller. But you’ll lot more than just use false if you want things that locked down. Alternatively, if you want it to be more obvious what’s going on, use nologin, as its name makes a bit more sense, and terminates with a message.

rssh solves a specific issue. It’s best not to use it unless you need its features, but if you do need them, it’s a valuable tool in the kit!

Share this page

Similar content

View all →

Sublime purple night sky

Nebula mesh network - an introduction

2021-01-08
9 minutes

WireGuard has been the “hot new thing” when it comes to VPNs, but it’s not always the best suited for every workload. Nebula is a mesh network originally created by Slack, but now owned by a separate company.TechSNAP 419 - Nebulous NetworkingLinux Unplugged 329 - Flat Network TruthersWhat’s a mesh…

None

Unsafe routes with Nebula

2021-02-02
3 minutes

Nebula is a great mesh network I recently deployed into my stack. For connecting nodes spread between networks, it’s great, much better than my previous WireGuard installation. An additional feature of nebula is unsafe_routes. Unsafe routes allow nodes which don’t have Nebula installed to be accessible to other Nebula nodes.

None

Storing Ansible Vault password in Bitwarden

2021-12-20
5 minutes

I’ve used Ansible for a number of years for the provisioning of both my servers and desktops. It’s versatile, it’s simple, it’s powerful, and has a number of great features. Personally, I make all of my “playbooks” public for all for all to see, but provisioning still requires some secrets.