SSH via next hop, user has no shell on next hop

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I have machines A, B and C.



User is on Machine A and wants to ssh to Machine C via Machine B. User has shells on Machine A and C, but /usr/sbin/nologin on Machine B. Is it possible to ssh to Machine C via B?



The following command results in.



ssh -t B ssh C
This account is currently not available.


If I ssh to Machine C with a user with shell on B, the command works.







share|improve this question





















  • Related: unix.stackexchange.com/questions/184031/…
    – nohillside
    May 8 at 6:44














up vote
0
down vote

favorite












I have machines A, B and C.



User is on Machine A and wants to ssh to Machine C via Machine B. User has shells on Machine A and C, but /usr/sbin/nologin on Machine B. Is it possible to ssh to Machine C via B?



The following command results in.



ssh -t B ssh C
This account is currently not available.


If I ssh to Machine C with a user with shell on B, the command works.







share|improve this question





















  • Related: unix.stackexchange.com/questions/184031/…
    – nohillside
    May 8 at 6:44












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I have machines A, B and C.



User is on Machine A and wants to ssh to Machine C via Machine B. User has shells on Machine A and C, but /usr/sbin/nologin on Machine B. Is it possible to ssh to Machine C via B?



The following command results in.



ssh -t B ssh C
This account is currently not available.


If I ssh to Machine C with a user with shell on B, the command works.







share|improve this question













I have machines A, B and C.



User is on Machine A and wants to ssh to Machine C via Machine B. User has shells on Machine A and C, but /usr/sbin/nologin on Machine B. Is it possible to ssh to Machine C via B?



The following command results in.



ssh -t B ssh C
This account is currently not available.


If I ssh to Machine C with a user with shell on B, the command works.









share|improve this question












share|improve this question




share|improve this question








edited May 8 at 5:10
























asked May 8 at 5:05









pdns

656




656











  • Related: unix.stackexchange.com/questions/184031/…
    – nohillside
    May 8 at 6:44
















  • Related: unix.stackexchange.com/questions/184031/…
    – nohillside
    May 8 at 6:44















Related: unix.stackexchange.com/questions/184031/…
– nohillside
May 8 at 6:44




Related: unix.stackexchange.com/questions/184031/…
– nohillside
May 8 at 6:44










1 Answer
1






active

oldest

votes

















up vote
0
down vote













Having read the link from patrix' comment, I can tell that's still possible, if ssh doesn't try to execute the shell. A recent feature of openssh 7.3 is called ProxyJump (and is only a built-in and optimized (using pipes) shortcut for some longer ProxyCommand). This feature works only at the tunnel level and never executes the shell on the intermediate host.



So if on B the user account login is disabled by a nologin shell, but authentication is still working, and there's no ssh configuration preventing forwarding (ie: AllowTcpForwarding is not set to only remote or no, but to at least local or yes), the working command is simply:



ssh -J B C


On older ssh versions and without configuration you could do the same with something like:



ssh -f -N -L 2222:C:22 B
ssh -p 2222 localhost


The key point is this:




-N Do not execute a remote command. This is useful for just for‐

warding ports.







share|improve this answer





















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );








     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f442464%2fssh-via-next-hop-user-has-no-shell-on-next-hop%23new-answer', 'question_page');

    );

    Post as a guest






























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote













    Having read the link from patrix' comment, I can tell that's still possible, if ssh doesn't try to execute the shell. A recent feature of openssh 7.3 is called ProxyJump (and is only a built-in and optimized (using pipes) shortcut for some longer ProxyCommand). This feature works only at the tunnel level and never executes the shell on the intermediate host.



    So if on B the user account login is disabled by a nologin shell, but authentication is still working, and there's no ssh configuration preventing forwarding (ie: AllowTcpForwarding is not set to only remote or no, but to at least local or yes), the working command is simply:



    ssh -J B C


    On older ssh versions and without configuration you could do the same with something like:



    ssh -f -N -L 2222:C:22 B
    ssh -p 2222 localhost


    The key point is this:




    -N Do not execute a remote command. This is useful for just for‐

    warding ports.







    share|improve this answer

























      up vote
      0
      down vote













      Having read the link from patrix' comment, I can tell that's still possible, if ssh doesn't try to execute the shell. A recent feature of openssh 7.3 is called ProxyJump (and is only a built-in and optimized (using pipes) shortcut for some longer ProxyCommand). This feature works only at the tunnel level and never executes the shell on the intermediate host.



      So if on B the user account login is disabled by a nologin shell, but authentication is still working, and there's no ssh configuration preventing forwarding (ie: AllowTcpForwarding is not set to only remote or no, but to at least local or yes), the working command is simply:



      ssh -J B C


      On older ssh versions and without configuration you could do the same with something like:



      ssh -f -N -L 2222:C:22 B
      ssh -p 2222 localhost


      The key point is this:




      -N Do not execute a remote command. This is useful for just for‐

      warding ports.







      share|improve this answer























        up vote
        0
        down vote










        up vote
        0
        down vote









        Having read the link from patrix' comment, I can tell that's still possible, if ssh doesn't try to execute the shell. A recent feature of openssh 7.3 is called ProxyJump (and is only a built-in and optimized (using pipes) shortcut for some longer ProxyCommand). This feature works only at the tunnel level and never executes the shell on the intermediate host.



        So if on B the user account login is disabled by a nologin shell, but authentication is still working, and there's no ssh configuration preventing forwarding (ie: AllowTcpForwarding is not set to only remote or no, but to at least local or yes), the working command is simply:



        ssh -J B C


        On older ssh versions and without configuration you could do the same with something like:



        ssh -f -N -L 2222:C:22 B
        ssh -p 2222 localhost


        The key point is this:




        -N Do not execute a remote command. This is useful for just for‐

        warding ports.







        share|improve this answer













        Having read the link from patrix' comment, I can tell that's still possible, if ssh doesn't try to execute the shell. A recent feature of openssh 7.3 is called ProxyJump (and is only a built-in and optimized (using pipes) shortcut for some longer ProxyCommand). This feature works only at the tunnel level and never executes the shell on the intermediate host.



        So if on B the user account login is disabled by a nologin shell, but authentication is still working, and there's no ssh configuration preventing forwarding (ie: AllowTcpForwarding is not set to only remote or no, but to at least local or yes), the working command is simply:



        ssh -J B C


        On older ssh versions and without configuration you could do the same with something like:



        ssh -f -N -L 2222:C:22 B
        ssh -p 2222 localhost


        The key point is this:




        -N Do not execute a remote command. This is useful for just for‐

        warding ports.








        share|improve this answer













        share|improve this answer



        share|improve this answer











        answered May 12 at 22:59









        A.B

        2,4901315




        2,4901315






















             

            draft saved


            draft discarded


























             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f442464%2fssh-via-next-hop-user-has-no-shell-on-next-hop%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?