Can a command be executed over ssh with a nologin user?

If a user has loginShell=/sbin/nologin is it still possible to

ssh user@machine [command]

assuming that the user has proper ssh keys in its home directory that can be used to authenticate?

My goal is to keep the user as a nologin, but still able to execute commands on a few other machines on the network (similar to its use through ‘sudo -u’), and am wondering if this is a reasonable course.

Asked By: Centimane

||

I don’t know whether that is possible (should be easy to test though) but there is a feature which probably answers your question in a certain way and in any case solves your problem.

You can add a command to the key line in authorized_keys. In that case this command is executed, nothing else. I assume this works with /sbin/nologin as the shell should be ignored anyway.

But you would need a different key for every command you allow.

Answered By: Hauke Laging

It seem the answer is no.

ssh user@machine [command]

with ssh keys in place only results in:

This account is currently not available

rather than the command executing, seems I’ll have to give it access to bash.

Answered By: Centimane

Setting /sbin/nologin as the user’s shell (or /bin/false or /bin/true, which are almost equivalent) forbids the user from logging in to run any command whatsoever. SSH always invokes the user’s login shell to run commands, so you need to set the login shell to one that is able to run some commands.

There are several restricted shells that allow users to run only a few commands. For example rssh and scponly are both such shells that allow the user to run a few predefined commands (such as scp, sftp-server, rsync, …). See also Restrict user access in linux and Do you need a shell for SCP?

Just need to put your command between quotes like:

ssh user@hostname "your_command"
Answered By: user427035
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.