msh - the message shell, explain why a login is frozen
When a login is going to be removed from the system (or moved to
another system) the message shell presents notification to anyone
accessing the system from the defunct account. This is accomplished by
setting the shell of the account to the path to msh.
The message is recovered from a spool directory (/var/spool/msh) by the
login name, the primary login group name, the default parameter, or the
basename of message shell program path, for the fixed name "Default"
which ever is first and available via open(2).
If no message can be located, an internal message directing the cus-
tomer to the system administrator is displayed.
Since the message shell is usually run from login no command line
switches may be presented.
Print only a brief help message.
Show only the standerd version banner.
Build a file "toor" in the default message spool directory, make a
login "toor" in /etc/passwd with /usr/local/libexec/msh as its login
shell and login.
Uses cat to present the message to the user. A shell-safe pager would
be a better option.
The three second sleep is handy for xterm(1) and xdm(1) logins, but may
be too short for long messages.
Do not put this shell in /etc/shells, as that allows access to the
account via FTP. See also the nologin program under some BSD systems,
which is polite but less informative.
If you build a link to the program named "ftpshell", that link may be
placed in /etc/shells to allow FTP-only access to a host, thus replac-
Using file permissions to trick the open(2) of the message to skip one
is not as clever as you might believe. Most group messages should be
world readable, personal messages should direct the Customer to see a
person (never use the spool as a secure communications channel).
shell @ ksb.npcguild.org.noSpam-please
sh(1), login(8), cat(1), nologin(8l)