SSH via next hop, user has no shell on next hop
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I have machines A, B and C.
User is on Machine A and wants to ssh to Machine C via Machine B. User has shells on Machine A and C, but /usr/sbin/nologin on Machine B. Is it possible to ssh to Machine C via B?
The following command results in.
ssh -t B ssh C
This account is currently not available.
If I ssh to Machine C with a user with shell on B, the command works.
ssh
add a comment |Â
up vote
0
down vote
favorite
I have machines A, B and C.
User is on Machine A and wants to ssh to Machine C via Machine B. User has shells on Machine A and C, but /usr/sbin/nologin on Machine B. Is it possible to ssh to Machine C via B?
The following command results in.
ssh -t B ssh C
This account is currently not available.
If I ssh to Machine C with a user with shell on B, the command works.
ssh
Related: unix.stackexchange.com/questions/184031/â¦
â nohillside
May 8 at 6:44
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have machines A, B and C.
User is on Machine A and wants to ssh to Machine C via Machine B. User has shells on Machine A and C, but /usr/sbin/nologin on Machine B. Is it possible to ssh to Machine C via B?
The following command results in.
ssh -t B ssh C
This account is currently not available.
If I ssh to Machine C with a user with shell on B, the command works.
ssh
I have machines A, B and C.
User is on Machine A and wants to ssh to Machine C via Machine B. User has shells on Machine A and C, but /usr/sbin/nologin on Machine B. Is it possible to ssh to Machine C via B?
The following command results in.
ssh -t B ssh C
This account is currently not available.
If I ssh to Machine C with a user with shell on B, the command works.
ssh
edited May 8 at 5:10
asked May 8 at 5:05
pdns
656
656
Related: unix.stackexchange.com/questions/184031/â¦
â nohillside
May 8 at 6:44
add a comment |Â
Related: unix.stackexchange.com/questions/184031/â¦
â nohillside
May 8 at 6:44
Related: unix.stackexchange.com/questions/184031/â¦
â nohillside
May 8 at 6:44
Related: unix.stackexchange.com/questions/184031/â¦
â nohillside
May 8 at 6:44
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
Having read the link from patrix' comment, I can tell that's still possible, if ssh doesn't try to execute the shell. A recent feature of openssh 7.3 is called ProxyJump
(and is only a built-in and optimized (using pipes) shortcut for some longer ProxyCommand
). This feature works only at the tunnel level and never executes the shell on the intermediate host.
So if on B the user account login is disabled by a nologin
shell, but authentication is still working, and there's no ssh configuration preventing forwarding (ie: AllowTcpForwarding
is not set to only remote
or no
, but to at least local
or yes
), the working command is simply:
ssh -J B C
On older ssh versions and without configuration you could do the same with something like:
ssh -f -N -L 2222:C:22 B
ssh -p 2222 localhost
The key point is this:
-N Do not execute a remote command. This is useful for just forâÂÂ
warding ports.
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
Having read the link from patrix' comment, I can tell that's still possible, if ssh doesn't try to execute the shell. A recent feature of openssh 7.3 is called ProxyJump
(and is only a built-in and optimized (using pipes) shortcut for some longer ProxyCommand
). This feature works only at the tunnel level and never executes the shell on the intermediate host.
So if on B the user account login is disabled by a nologin
shell, but authentication is still working, and there's no ssh configuration preventing forwarding (ie: AllowTcpForwarding
is not set to only remote
or no
, but to at least local
or yes
), the working command is simply:
ssh -J B C
On older ssh versions and without configuration you could do the same with something like:
ssh -f -N -L 2222:C:22 B
ssh -p 2222 localhost
The key point is this:
-N Do not execute a remote command. This is useful for just forâÂÂ
warding ports.
add a comment |Â
up vote
0
down vote
Having read the link from patrix' comment, I can tell that's still possible, if ssh doesn't try to execute the shell. A recent feature of openssh 7.3 is called ProxyJump
(and is only a built-in and optimized (using pipes) shortcut for some longer ProxyCommand
). This feature works only at the tunnel level and never executes the shell on the intermediate host.
So if on B the user account login is disabled by a nologin
shell, but authentication is still working, and there's no ssh configuration preventing forwarding (ie: AllowTcpForwarding
is not set to only remote
or no
, but to at least local
or yes
), the working command is simply:
ssh -J B C
On older ssh versions and without configuration you could do the same with something like:
ssh -f -N -L 2222:C:22 B
ssh -p 2222 localhost
The key point is this:
-N Do not execute a remote command. This is useful for just forâÂÂ
warding ports.
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Having read the link from patrix' comment, I can tell that's still possible, if ssh doesn't try to execute the shell. A recent feature of openssh 7.3 is called ProxyJump
(and is only a built-in and optimized (using pipes) shortcut for some longer ProxyCommand
). This feature works only at the tunnel level and never executes the shell on the intermediate host.
So if on B the user account login is disabled by a nologin
shell, but authentication is still working, and there's no ssh configuration preventing forwarding (ie: AllowTcpForwarding
is not set to only remote
or no
, but to at least local
or yes
), the working command is simply:
ssh -J B C
On older ssh versions and without configuration you could do the same with something like:
ssh -f -N -L 2222:C:22 B
ssh -p 2222 localhost
The key point is this:
-N Do not execute a remote command. This is useful for just forâÂÂ
warding ports.
Having read the link from patrix' comment, I can tell that's still possible, if ssh doesn't try to execute the shell. A recent feature of openssh 7.3 is called ProxyJump
(and is only a built-in and optimized (using pipes) shortcut for some longer ProxyCommand
). This feature works only at the tunnel level and never executes the shell on the intermediate host.
So if on B the user account login is disabled by a nologin
shell, but authentication is still working, and there's no ssh configuration preventing forwarding (ie: AllowTcpForwarding
is not set to only remote
or no
, but to at least local
or yes
), the working command is simply:
ssh -J B C
On older ssh versions and without configuration you could do the same with something like:
ssh -f -N -L 2222:C:22 B
ssh -p 2222 localhost
The key point is this:
-N Do not execute a remote command. This is useful for just forâÂÂ
warding ports.
answered May 12 at 22:59
A.B
2,4901315
2,4901315
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f442464%2fssh-via-next-hop-user-has-no-shell-on-next-hop%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Related: unix.stackexchange.com/questions/184031/â¦
â nohillside
May 8 at 6:44