1. Prologue
You may encounter this situation: when using NetBird SSH to connect to a NixOS machine, you get an error like this:
User switching failed - login command not available
Connection to 100.100.0.1 closed.
If you inspect the logs on the target machine, you may see the following error:
ERRO [session: root@100.100.0.11:25593-28f208a7] client/ssh/server/command_execution_unix.go:173: Pty command creation failed: get login command: login command not available: exec: "login": executable file not found in $PATH
This is because NixOS doesn’t include the login binary in the NetBird package environment, so we have to add it manually. And I will introduce how to do it.
2. Workaround
Inside the nix file where you define the NetBird service, insert the following content:
services.netbird.enable = true;
services.resolved.enable = true;
networking.firewall.trustedInterfaces = [ "wt0" ];
systemd.services.netbird = {
path = with pkgs; [ shadow ];
};
We’ve added the shadow package to the path so that the NetBird service could find it in the $PATH variable when an SSH session starts.
3. Bonus: NetBird in MSM8916 Wifi Dongle (2026-03-18)
If you got this error:
root@localhost ~# netbird up
Please do the SSO login in your browser.
If your browser didn't open automatically, use this URL to log in:
https://netbird.example.com/oauth2/device?user_code=XXXX-XXXX
Error: daemon up failed: call service up method: rpc error: code = DeadlineExceeded desc = context deadline exceeded
root@localhost ~ [1]# netbird up
Error: unable to get daemon status: rpc error: code = Unknown desc = create firewall manager: init firewall: router init: create containers: create chain NETBIRD-RT-FWD-IN in table filter: running [/usr/sbin/iptables -t filter -N NETBIRD-RT-FWD-IN --wait]: exit status 1: iptables: Chain already exists.
This is because that in a custom kernel, the iptable has a limit of 64 rules. Deploying NetBird will exceed this limit, causing iptables -X to return too many rules error, and breaks the Netbird.
The workaround is to switch to nftable.
update-alternatives --set iptables /usr/sbin/iptables-nft
update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
iptables
# iptables v1.8.7 (nf_tables): no command specified
Loading Comment Component...