1. Forum
  2. Usenet
  3. COMP.SECURITY.SSH

  • Why does SSH require a *local* shell?

    From Ian Pilcher@21:1/5 to All on Fri Jun 4 15:08:54 2021
    And is there a way to get around this requirement?

    I am trying to set up a service that will provide an SSH tunnel. It
    basically just needs to run:

    ssh -NT -L 8080:localhost:80 tunnel@remote

    I have created a "tunnel" user on both the local and remote systems for
    this purpose. On the remote system, the tunnel user's shell is set to /bin/true, and this doesn't cause any problems (thanks to the -N
    parameter).

    However, I've found that SSH doesn't work if the *local* tunnel user
    doesn't have a working shell. For example, if I set the local tunnel
    user's shell to /sbin/nologin, the connection fails with the following
    message.

    debug1: Local version string SSH-2.0-OpenSSH_7.4
    debug1: ssh_exchange_identification: This account is currently not
    available.

    ssh_exchange_identification: Connection closed by remote host

    "tunnel" is a service account, so it really shouldn't have a shell.

    Why is SSH trying to run the *local* user's shell, and is there a way to
    change this behavior?

    --
    ========================================================================
    Ian Pilcher [email protected] -------- "I grew up before Mark Zuckerberg invented friendship" -------- ========================================================================

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From William Unruh@21:1/5 to Ian Pilcher on Fri Jun 4 21:48:54 2021
    On 2021-06-04, Ian Pilcher <[email protected]> wrote:
    And is there a way to get around this requirement?

    I am trying to set up a service that will provide an SSH tunnel. It basically just needs to run:

    ssh -NT -L 8080:localhost:80 tunnel@remote

    I have created a "tunnel" user on both the local and remote systems for
    this purpose. On the remote system, the tunnel user's shell is set to /bin/true, and this doesn't cause any problems (thanks to the -N
    parameter).

    However, I've found that SSH doesn't work if the *local* tunnel user
    doesn't have a working shell. For example, if I set the local tunnel
    user's shell to /sbin/nologin, the connection fails with the following message.

    Something has to interpret that that series of alphabetical characters
    into commands, options, etc. That is what a shell does. The program
    "nologin" does not do that. You could put it into /etc/rc.local in which
    case it will be the root shell that does it.


    debug1: Local version string SSH-2.0-OpenSSH_7.4
    debug1: ssh_exchange_identification: This account is currently not
    available.

    ssh_exchange_identification: Connection closed by remote host

    "tunnel" is a service account, so it really shouldn't have a shell.

    Why is SSH trying to run the *local* user's shell, and is there a way to change this behavior?


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)