Unix shells used to be a reliable method of access control, allowing for specific administrative shells to be assigned to logins. These shells could provide helpful messages as to why a particular login was not allowed to use the system. However, in modern Unix environments, this method no longer works due to two core problems.
Firstly, many services only use Unix logins for authentication and ignore the login’s shell. This includes services like Samba, IMAP servers, and Apache HTTP Basic Authentication. While some services can be configured to consider the login’s shell, others cannot be easily changed. Forgetting to configure one of these services properly can lead to unintended access.
Secondly, general authentication services like LDAP or Single Sign-On do not consider a login’s shell when granting access. In order to restrict usage based on shells, multiple versions of these authentication systems with different logins would need to be set up.
A similar issue arises with Apache HTTP Basic Authentication, as a single authentication realm often covers different services. To exclude certain logins from specific services, either multiple authentication files or additional checks in each service are required.
In the modern environment, the two most effective methods of access control are scrambling the login’s password and excluding the login from authentication sources.
https://utcc.utoronto.ca/~cks/space/blog/sysadmin/UnixShellsNoMoreAccessControl