diff --git a/wgengine/netstack/ssh.go b/wgengine/netstack/ssh.go
index bd70bfc8b..1675c7f9d 100644
--- a/wgengine/netstack/ssh.go
+++ b/wgengine/netstack/ssh.go
@@ -107,7 +107,13 @@ func (ns *Impl) handleSSH(s ssh.Session) {
 		return
 	}
 
-	cmd := exec.Command("/bin/bash")
+	var cmd *exec.Cmd
+	sshUser := s.User()
+	if os.Getuid() != 0 || sshUser == "root" {
+		cmd = exec.Command("/bin/bash")
+	} else {
+		cmd = exec.Command("/usr/bin/env", "su", "-", sshUser)
+	}
 	cmd.Env = append(cmd.Env, fmt.Sprintf("TERM=%s", ptyReq.Term))
 	f, err := pty.Start(cmd)
 	if err != nil {