The idea here is to run:
% ./gen-etc-shells.sh > /tmp/shellsInspect
/tmp/shells to make sure it's what you want. Then:
% mv /tmp/shells /etc/shellsIt lists the 10 built-in shells allowed by
getusershell(3C).
It then uses getent(1M) to extract all passwd entries; these
are piped to an awk script which extracts the shell information.
Once this is cleaned up and some known bogus entries are stripped out, the
resulting output is appropriate for creating a new /etc/shells
file, which will allow exactly the shells that were allowed previously, but
no others.
Download the shell script.