diff --git a/Makefile b/Makefile
index 532bded94..63998522d 100644
--- a/Makefile
+++ b/Makefile
@@ -129,6 +129,7 @@ publishdevproxy: check-image-repo ## Build and publish k8s-proxy image to locati
 sshintegrationtest: ## Run the SSH integration tests in various Docker containers
 	@GOOS=linux GOARCH=amd64 CGO_ENABLED=0 ./tool/go test -tags integrationtest -c ./ssh/tailssh -o ssh/tailssh/testcontainers/tailssh.test && \
 	GOOS=linux GOARCH=amd64 CGO_ENABLED=0 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \
+	echo "Testing on debian:trixie" && docker build --build-arg="BASE=debian:trixie" -t ssh-debian-trixie ssh/tailssh/testcontainers && \
 	echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \
 	echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \
 	echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers && \
diff --git a/ssh/tailssh/tailssh_integration_test.go b/ssh/tailssh/tailssh_integration_test.go
index 9ab26e169..14c3e5e21 100644
--- a/ssh/tailssh/tailssh_integration_test.go
+++ b/ssh/tailssh/tailssh_integration_test.go
@@ -97,10 +97,10 @@ func TestIntegrationSSH(t *testing.T) {
 		debugTest.Store(false)
 	})
 
-	homeDir := "/home/testuser"
-	if runtime.GOOS == "darwin" {
-		homeDir = "/Users/testuser"
-	}
+	// homeDir := "/home/testuser"
+	// if runtime.GOOS == "darwin" {
+	// 	homeDir = "/Users/testuser"
+	// }
 
 	tests := []struct {
 		cmd             string
@@ -108,40 +108,47 @@ func TestIntegrationSSH(t *testing.T) {
 		forceV1Behavior bool
 		skip            bool
 		allowSendEnv    bool
+		requiresShell   bool
 	}{
+		// {
+		// 	cmd:             "id",
+		// 	want:            []string{"testuser", "groupone", "grouptwo"},
+		// 	forceV1Behavior: false,
+		// },
+		// {
+		// 	cmd:             "id",
+		// 	want:            []string{"testuser", "groupone", "grouptwo"},
+		// 	forceV1Behavior: true,
+		// },
+		// {
+		// 	cmd:             "pwd",
+		// 	want:            []string{homeDir},
+		// 	skip:            os.Getenv("SKIP_FILE_OPS") == "1" || !fallbackToSUAvailable(),
+		// 	forceV1Behavior: false,
+		// },
+		// {
+		// 	cmd:             "echo 'hello'",
+		// 	want:            []string{"hello"},
+		// 	skip:            os.Getenv("SKIP_FILE_OPS") == "1" || !fallbackToSUAvailable(),
+		// 	forceV1Behavior: false,
+		// },
+		// {
+		// 	cmd:             `echo "${GIT_ENV_VAR:-unset1} ${EXACT_MATCH:-unset2} ${TESTING:-unset3} ${NOT_ALLOWED:-unset4}"`,
+		// 	want:            []string{"working1 working2 working3 unset4"},
+		// 	forceV1Behavior: false,
+		// 	allowSendEnv:    true,
+		// },
+		// {
+		// 	cmd:             `echo "${GIT_ENV_VAR:-unset1} ${EXACT_MATCH:-unset2} ${TESTING:-unset3} ${NOT_ALLOWED:-unset4}"`,
+		// 	want:            []string{"unset1 unset2 unset3 unset4"},
+		// 	forceV1Behavior: false,
+		// 	allowSendEnv:    false,
+		// },
 		{
-			cmd:             "id",
-			want:            []string{"testuser", "groupone", "grouptwo"},
-			forceV1Behavior: false,
-		},
-		{
-			cmd:             "id",
-			want:            []string{"testuser", "groupone", "grouptwo"},
+			cmd:             `locale`,
+			want:            []string{"UTF-8"},
 			forceV1Behavior: true,
-		},
-		{
-			cmd:             "pwd",
-			want:            []string{homeDir},
-			skip:            os.Getenv("SKIP_FILE_OPS") == "1" || !fallbackToSUAvailable(),
-			forceV1Behavior: false,
-		},
-		{
-			cmd:             "echo 'hello'",
-			want:            []string{"hello"},
-			skip:            os.Getenv("SKIP_FILE_OPS") == "1" || !fallbackToSUAvailable(),
-			forceV1Behavior: false,
-		},
-		{
-			cmd:             `echo "${GIT_ENV_VAR:-unset1} ${EXACT_MATCH:-unset2} ${TESTING:-unset3} ${NOT_ALLOWED:-unset4}"`,
-			want:            []string{"working1 working2 working3 unset4"},
-			forceV1Behavior: false,
-			allowSendEnv:    true,
-		},
-		{
-			cmd:             `echo "${GIT_ENV_VAR:-unset1} ${EXACT_MATCH:-unset2} ${TESTING:-unset3} ${NOT_ALLOWED:-unset4}"`,
-			want:            []string{"unset1 unset2 unset3 unset4"},
-			forceV1Behavior: false,
-			allowSendEnv:    false,
+			requiresShell:   true,
 		},
 	}
 
@@ -152,6 +159,9 @@ func TestIntegrationSSH(t *testing.T) {
 
 		// run every test both without and with a shell
 		for _, shell := range []bool{false, true} {
+			if test.requiresShell && !shell {
+				continue
+			}
 			shellQualifier := "no_shell"
 			if shell {
 				shellQualifier = "shell"
diff --git a/ssh/tailssh/testcontainers/Dockerfile b/ssh/tailssh/testcontainers/Dockerfile
index 4ef1c1eb0..fc6f6671d 100644
--- a/ssh/tailssh/testcontainers/Dockerfile
+++ b/ssh/tailssh/testcontainers/Dockerfile
@@ -4,7 +4,7 @@ FROM ${BASE}
 ARG BASE
 
 RUN echo "Install openssh, needed for scp. Also install python3"
-RUN if echo "$BASE" | grep "ubuntu:"; then apt-get update -y && apt-get install -y openssh-client python3 python3-pip; fi
+RUN if echo "$BASE" | egrep "(ubuntu|debian):"; then apt-get update -y && apt-get install -y openssh-client python3 python3-pip; fi
 RUN if echo "$BASE" | grep "alpine:"; then apk add openssh python3 py3-pip; fi
 
 RUN echo "Install paramiko"
@@ -12,11 +12,11 @@ RUN pip3 install paramiko==3.5.1 || pip3 install --break-system-packages paramik
 
 # Note - on Ubuntu, we do not create the user's home directory, pam_mkhomedir will do that
 # for us, and we want to test that PAM gets triggered by Tailscale SSH.
-RUN if echo "$BASE" | grep "ubuntu:"; then groupadd -g 10000 groupone && groupadd -g 10001 grouptwo && useradd -g 10000 -G 10001 -u 10002 testuser; fi
+RUN if echo "$BASE" | egrep "(ubuntu|debian):";  then groupadd -g 10000 groupone && groupadd -g 10001 grouptwo && useradd -g 10000 -G 10001 -u 10002 testuser; fi
 # On Alpine, we can't configure pam_mkhomdir, so go ahead and create home directory.
 RUN if echo "$BASE" | grep "alpine:"; then addgroup -g 10000 groupone && addgroup -g 10001 grouptwo && adduser -u 10002 -D testuser && addgroup testuser groupone && addgroup testuser grouptwo; fi
 
-RUN if echo "$BASE" | grep "ubuntu:"; then \
+RUN if echo "$BASE" | egrep "(ubuntu|debian):";  then \
     echo "Set up pam_mkhomedir." && \
     sed -i -e 's/Default: no/Default: yes/g' /usr/share/pam-configs/mkhomedir && \
     cat /usr/share/pam-configs/mkhomedir && \
@@ -30,13 +30,13 @@ RUN chmod 755 tailscaled
 
 RUN echo "First run tests normally."
 RUN eval `ssh-agent -s` && TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestSSHAgentForwarding
-RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi
+RUN if echo "$BASE" | egrep "(ubuntu|debian):";  then rm -Rf /home/testuser; fi
 RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSFTP
-RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi
+RUN if echo "$BASE" | egrep "(ubuntu|debian):";  then rm -Rf /home/testuser; fi
 RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSCP
-RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi
+RUN if echo "$BASE" | egrep "(ubuntu|debian):";  then rm -Rf /home/testuser; fi
 RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSSH
-RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi
+RUN if echo "$BASE" | egrep "(ubuntu|debian):"; then rm -Rf /home/testuser; fi
 RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationParamiko
 
 RUN echo "Then run tests as non-root user testuser and make sure tests still pass."
@@ -50,7 +50,7 @@ RUN TAILSCALED_PATH=`pwd`tailscaled SKIP_FILE_OPS=1 su -m testuser -c "./tailssh
 RUN chmod 0755 /home/testuser
 RUN chown root:root /tmp/tailscalessh.log
 
-RUN if echo "$BASE" | grep "ubuntu:"; then \
+RUN if echo "$BASE" | egrep "(ubuntu|debian):"; then \
     echo "Then run tests in a system that's pretending to be SELinux in enforcing mode" && \
     # Remove execute permissions for /usr/bin/login so that it fails.
     mv /usr/bin/login /tmp/login_orig && \
@@ -70,11 +70,11 @@ RUN if echo "$BASE" | grep "ubuntu:"; then \
 RUN echo "Then remove the login command and make sure tests still pass."
 RUN rm `which login`
 RUN eval `ssh-agent -s` && TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestSSHAgentForwarding
-RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi
+RUN if echo "$BASE" | egrep "(ubuntu|debian):"; then rm -Rf /home/testuser; fi
 RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSFTP
-RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi
+RUN if echo "$BASE" | egrep "(ubuntu|debian):"; then rm -Rf /home/testuser; fi
 RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSCP
-RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi
+RUN if echo "$BASE" | egrep "(ubuntu|debian):"; then rm -Rf /home/testuser; fi
 RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSSH
 
 RUN echo "Then remove the su command and make sure tests still pass."