The idea here is to run:
% ./gen-etc-shells.sh > /tmp/shells
Inspect
/tmp/shells to make sure it's what you want. Then:
% mv /tmp/shells /etc/shells
It lists the 10 built-in shells allowed by
getusershell(3C).
It then uses
getent(1M) to extract all passwd entries; these
are piped to an
awk script which extracts the shell information.
Once this is cleaned up and some known bogus entries are stripped out, the
resulting output is appropriate for creating a new
/etc/shells
file, which will allow exactly the shells that were allowed previously, but
no others.
Download the shell script.