I'm trying to use an SSH tunnel through a host that only allows local port forwarding, nothing else.

For reproducibility purposes the example in this report uses a pretty much default ssh configuration with the users shell being a shell script echoing that the user isn't supposed to login and then exits.

As I'm defaulting to using ControlMaster and ControlPersist in my ssh_config I came across this, as it effectively makes this connection impossible to use unless ControlMaster and ControlPath are explicitly disabled for this destination.

A working example would be

ssh -F /dev/null -vvv -N -o ControlMaster=auto -o ControlPath=~/cptest localhost

In this case I can open a connection and nothing happens, as expected. Adding a port forward with -L works fine too and I can reach the intended destination. Great.

Once I add ControlPersist to this command however it breaks:

ssh -F /dev/null -vvv -N -o ControlMaster=auto -o ControlPath=~/cptest -o ControlPersist=5 localhost

Leading up to the exit I find this in the SSH logs (some lines omitted):

debug2: channel 2: request shell confirm 1
debug2: shell request accepted on channel 2
This is not a real shell, you are not supposed to login.
debug1: client_input_channel_req: channel 2 rtype exit-status reply 0
debug3: mux_exit_message: channel 2: exit message, exitval 0

The message is coming from the users shell.

The ControlMaster keeps running in the background until ControlPersist times out. I can also verify that it still has a working session as I can access a -L forwarded port before it's closing the ControlMaster session.

Client and server config as well as -vvv client logs of both scenarios are attached.

Tested on 8.1 (macOS), 8.2 (Linux) and 8.5 (Linux).