diff --git a/default.nix b/default.nix
index 143faf54..1f8e479d 100644
--- a/default.nix
+++ b/default.nix
@@ -32,6 +32,7 @@ let
         ./modules/system/applications.nix
         ./modules/system/etc.nix
         ./modules/system/launchd.nix
+        ./modules/system/shells.nix
         ./modules/system/version.nix
         ./modules/time
         ./modules/networking
diff --git a/modules/system/shells.nix b/modules/system/shells.nix
new file mode 100644
index 00000000..5cc6e449
--- /dev/null
+++ b/modules/system/shells.nix
@@ -0,0 +1,44 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.environment;
+in
+
+{
+  options = {
+    environment.shells = mkOption {
+      type = types.listOf (types.either types.shellPackage types.path);
+      default = [];
+      example = literalExample "[ pkgs.bashInteractive pkgs.zsh ]";
+      description = ''
+        A list of permissible login shells for user accounts.
+        No need to mention <literal>/bin/sh</literal>
+        and other shells that are available by default on
+        macOS.
+      '';
+      apply = map (v: if types.shellPackage.check v then "/run/current-system/sw${v.shellPath}" else v);
+    };
+  };
+
+  config = mkIf (cfg.shells != []) {
+
+    environment.etc."shells".text = ''
+      # List of acceptable shells for chpass(1).
+      # Ftpd will not allow users to connect who are not using
+      # one of these shells.
+
+      /bin/bash
+      /bin/csh
+      /bin/ksh
+      /bin/sh
+      /bin/tcsh
+      /bin/zsh
+
+      # List of shells managed by nix.
+      ${concatStringsSep "\n" cfg.shells}
+    '';
+
+  };
+}