Allowing ssh straight to the shell

DominikHoffmann · Mar 21, 2017, 3:55 PM

I had my DD-WRT router set up so that I could ssh to it. When the connection was made, I ended up in the router's shell. On my pfSense box I get the text-interface menu, where the shell is an option. This means that I cannot reach the shell directly, which I would like to do, in order to tunnel ports to other hosts on the network.

Is there a way to configure pfSense to have ssh connect to the shell and perhaps launch the menu through a shell command?

NOYB · Mar 21, 2017, 6:04 PM

This is what I do for directly running tcpdump through ssh. Though it's not what you are attempting maybe it could spark some ideas.


"C:\Program Files\PuTTY\plink.exe" -ssh -pw password root@pfSense.localdomain tcpdump -p -n -nn -s 0 -U -w - -i bfe0 not port 22 and src or dst 192.168.2.1 | "C:\Program Files\Wireshark\wireshark.exe" -i - -k

or replace password with i option and key file


"C:\Program Files\PuTTY\plink.exe" -ssh -i "C:\Program Files (x86)\WinSCP\Keys\pfSense\id_rsa_4096_SSH_Private_Key.ppk" root@pfSense.localdomain tcpdump -p -n -nn -s 0 -U -w - -i bfe0 not port 22 and src or dst 192.168.2.1 | "C:\Program Files\Wireshark\wireshark.exe" -i - -k

DominikHoffmann · Mar 21, 2017, 7:51 PM

What exactly does that accomplish?

By the way, I am on a Mac and have Terminal instead of Putty.

johnpoz · Mar 21, 2017, 7:55 PM

if you login with a different user than root/admin, you will not get the menu and just the shell..

So see if I login with root or admin you get the menu your talking about. I created a johnpoz account, using the same public key for auth. And boom your straight into the shell.

NOYB · Mar 21, 2017, 8:17 PM

@DominikHoffmann:

What exactly does that accomplish?

By the way, I am on a Mac and have Terminal instead of Putty.

It starts tcpdump on pfSense and streams it to local Wireshark for live capture.

I have several "canned" commands for common stuff. Similar capability is under development for inclusion in Wireshark. Then the external ssh command won't be needed anymore. That will be really nice.

Netcat can be used instead of plink. Some people do that. But since I'm using PuTTY/WinSCP plink is already on the system. So I make use of that.

What John said is probably what you are looking for. My guess is that the account he created just has a different shell assigned to it than what the root account has. Have not verified though so could be completely wrong about what is going on with that.

Or maybe the root account just runs some scripts at login time.

DominikHoffmann · Mar 21, 2017, 8:11 PM

Going with a separate user ID is just fine for my application.

Thanks to you both!

johnpoz · Mar 21, 2017, 8:37 PM

"Thanks to you both!"

You sure about that?? Seems NOYB got the thank you for his post, which didn't answer your question. But I posted up screenshots showing you that it works, and yet I get bumpkis - heheh.. atleast it seems you didn't smite me.. ROFL!!!

DominikHoffmann · Mar 21, 2017, 8:39 PM

I haven’t used this forum much, and haven’t used this forum format elsewhere and therefore didn’t realize that one can hand out only one Thanks per thread started.

johnpoz · Mar 21, 2017, 8:41 PM

You can remove his ;) And give it to the person who actually helped you ;)

JKnott · Mar 22, 2017, 5:15 PM

If I'm not mistaken, this is determined by /root/.shrc which, when it detects root login, runs /etc/rc.initial.

It shouldn't be too hard to modify .shrc to not run the shell.

DominikHoffmann · Mar 22, 2017, 6:15 PM

Setting up a separate user does the trick for me. It also adds another layer of protection against brute-force attacks, although I have shutdown password login.