On 6/4/21 4:48 PM, William Unruh wrote:
Something has to interpret that that series of alphabetical characters
into commands, options, etc. That is what a shell does. The program
"nologin" does not do that. You could put it into /etc/rc.local in which
case it will be the root shell that does it.
You didn't read my question completely. I was asking why the SSH client
was executing the shell on the *local* system (the system on which the
SSH client itself is running). I've already set the shell on the remote
system to /bin/true, and it works fine (since I'm only creating a
tunnel).
It turns out that the issue was the presence of a ProxyCommand in the
global configuration (presumably added by the FreeIPA installation).
strace showed that the SSH client tries to use a shell to run the
command specified by the ProxyCommand, which obviously fails if the
shell is /sbin/nologin. After overriding that for this specific usage,
I am able to establish the tunnel as a "shell-less" user.
--
========================================================================
Ian Pilcher
[email protected] -------- "I grew up before Mark Zuckerberg invented friendship" -------- ========================================================================
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)