make defaultshell setable on user or group level

[matsmcp]

trafficstars

Feature request Security

Today on Linux I can finegrade who will be able to get a shell by setting per user and denying a shell by setting /bin/false or sbin/nologin.

On Windows we only have the HKLM regvalue DefaultShell and it affects all users.

Users should never be allowed to log on to the jumphost -they should only be allowed to jump through it (IE ssh -J jumphost destinationhost). Setting defaultshell to nologin.exe solves this. Firewalls and so on can block access through other protocols.

The Issue with this is that now we can't manage the box either since the management account also got nologin.exe as shell.

Therefore i would like to request a feature to allow defaultshell to be more finegraded. Either by an exclude regkey so that I could set another shell for a user or group or by making defaultshell a parameter i could set from the sshd_config file since I then could fine grade it through match rules

I did attempt a workarround by setting a ForceCommand to my nologin.exe in SSHD_Config. This will not work since you can't run logoff or shutdown -l. Both gives an API error