I have machines A, B and C.
User is on Machine A and wants to ssh to Machine C via Machine B. User has shells on Machine A and C, but /usr/sbin/nologin on Machine B. Is it possible to ssh to Machine C via B?
The following command results in.
ssh -t B ssh C
This account is currently not available.
If I ssh to Machine C with a user with shell on B, the command works.
Having read the link from patrix' comment, I can tell that's still possible, if ssh doesn't try to execute the shell. A recent feature of openssh 7.3 is called ProxyJump (and is only a built-in and optimized (using pipes) shortcut for some longer ProxyCommand). This feature works only at the tunnel level and never executes the shell on the intermediate host.
So if on B the user account login is disabled by a nologin shell, but authentication is still working, and there's no ssh configuration preventing forwarding (ie: AllowTcpForwarding is not set to only remote or no, but to at least local or yes), the working command is simply:
ssh -J B C
On older ssh versions and without configuration you could do the same with something like:
ssh -f -N -L 2222:C:22 B
ssh -p 2222 localhost
The key point is this:
-N Do not execute a remote command. This is useful for just for‐
warding ports.
