i have an account that can ssh to localhost alright:
$ ssh root@localhost
# logout
Connection to localhost closed.
it does not work with the JumpProxy feature of ssh however:
$ ssh -J root@localhost root@localhost
/sbin/nologin: invalid option -- 'c'
Usage:
nologin [options]
Politely refuse a login.
Options:
-h, --help display this help and exit
-V, --version output version information and exit
For more details see nologin(8).
ssh_exchange_identification: Connection closed by remote host
This seems to be related to the fact that the shell of the current user is set to /sbin/nologin — if I temporarily change it to bash the command works. it appears to be best practice to disable shell access for users that do not need it — but (why???) does JumpProxy need it?
Best Answer
In my testing on OpenSSH 7.4, specifically:
I was able to set my user's shell to either
/sbin/nologin
or/bin/false
and was able to log into server B through server A.Examples
or
host A → BTries to log into server B (mulder) through server A (centos7) worked.
host A → B → CAnd on the off chance that it was something funny with my going through the VM, I added a 3rd host to the mix, and it still worked.
NOTE: in the above scenario, the user1 has
/sbin/nologin
defined in/etc/passwd
on the servers centos7 & mulder.Debugging your issue
So I'd start with
-vvv
switches to debugssh
.NOTE: With the above you can see what
-J
is actually doing behind the scenes, as it expands to variousssh
commands as it progresses through the jump proxy servers.To triage your issue further, I'd suggest running these commands directly and seeing how they fare.
root@localhost → root@localhost
In my experiments I could
ssh
in the same manner that you were trying:To do this you have to have
/etc/ssh/sshd_config
set so that root is permitted logging in.References