> "If command is specified, it is executed on the remote host instead of a > login shell." > > But afaik this is not quite accurate. The login shell is always started. > But if a command is specified it runs that command instead of just > opening an interactive setting. Not quite. A "login shell" is a specific term in Unix. If means (roughly) the shell the user has defined (eg in /etc/passwd) but run in a specific way. If you look at the underly C calls you might see something like execl("/bin/sh","sh",NULL) That would run a normal shell. However execl("/bin/sh","-sh",NULL) would be a "login shell". Note the extra "-" character. This tells the shell that it is being called as a login shell, rather than a subshell. So if you do something like ssh remotehost then on the remote host it will look up the shell defined in the passwd file ( eg /bin/sh) and do something similar to execl("/bin/sh","-sh",NULL) (The exact calls are more complicated, but this is the essence; I've simplified) However if you do ssh remotehost command then it does something more like execl("/bin/sh","sh","-c",command,NULL) > So if a user has /dev/false as login shell, you cannot run a command on So here is where your confusion over terminology led you wrong. The password file defines the shell to be used. How the shell is called determines if it is being used a login shell or not. You can read more about "login shells" if you do "man bash" and skip down to the INVOCATION section -- rgds Stephen _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev