Something has to interpret that that series of alphabetical characters
into commands, options, etc. That is what a shell does. The program
"nologin" does not do that. You could put it into /etc/rc.local in which
case it will be the root shell that does it.
It turns out that the issue was the presence of a ProxyCommand in the
global configuration (presumably added by the FreeIPA installation).
strace showed that the SSH client tries to use a shell to run the
command specified by the ProxyCommand, which obviously fails if the
shell is /sbin/nologin. After overriding that for this specific usage,
I am able to establish the tunnel as a "shell-less" user.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 294 |
Nodes: | 16 (2 / 14) |
Uptime: | 244:01:26 |
Calls: | 6,626 |
Calls today: | 2 |
Files: | 12,175 |
Messages: | 5,320,335 |