diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index b18703aa8..7895f8cbd 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -356,6 +356,24 @@ function userHasPrivilege($userent, $privid = false)
     return true;
 }
 
+function auth_get_shells()
+{
+    $shells = array('' => '/sbin/nologin');
+
+    $etc_shells = @file_get_contents('/etc/shells');
+    if (!empty($etc_shells)) {
+        $etc_shells = explode("\n", $etc_shells);
+        foreach ($etc_shells as $shell) {
+            $shell = trim($shell);
+            if (!empty($shell) && strpos($shell, '#') !== 0) {
+                $shells[$shell] = $shell;
+            }
+        }
+    }
+
+    return $shells;
+}
+
 function local_sync_accounts()
 {
     global $config;
@@ -426,7 +444,7 @@ function local_user_set(&$user, $force_password = false)
     $user_name = $user['name'];
     $user_pass = $user['password'];
     $user_home = "/home/{$user_name}";
-    $user_shell = '/sbin/nologin';
+    $user_shell = isset($user['shell']) ? $user['shell'] : '/sbin/nologin';
     $user_group = 'nobody';
     $lock_account = 'lock';
 
@@ -439,6 +457,7 @@ function local_user_set(&$user, $force_password = false)
 
     /* configure shell type */
     if (userHasPrivilege($user, 'user-shell-access')) {
+        /* XXX override the shell for this privilege so we can zap it in 18.7 */
         $user_shell = '/bin/csh';
     }
 
diff --git a/src/www/system_usermanager.php b/src/www/system_usermanager.php
index 5824e41d4..9f4c51e7e 100644
--- a/src/www/system_usermanager.php
+++ b/src/www/system_usermanager.php
@@ -120,7 +120,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         exit;
     } elseif ($act == 'new' || $act == 'edit') {
         // edit user, load or init data
-        $fieldnames = array('user_dn', 'descr', 'expires', 'scope', 'uid', 'priv', 'ipsecpsk', 'lifetime', 'otp_seed', 'email', 'comment');
+        $fieldnames = array('user_dn', 'descr', 'expires', 'scope', 'uid', 'priv', 'ipsecpsk', 'lifetime', 'otp_seed', 'email', 'shell', 'comment');
         if (isset($id)) {
             if (isset($a_user[$id]['authorizedkeys'])) {
                 $pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']);
@@ -354,6 +354,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
                 unset($userent['comment']);
             }
 
+            if (!empty($pconfig['shell'])) {
+                $userent['shell'] = $pconfig['shell'];
+            } elseif (isset($userent['shell'])) {
+                unset($userent['shell']);
+            }
+
             if (isset($id)) {
                 $a_user[$id] = $userent;
             } else {
@@ -635,6 +641,18 @@ $( document ).ready(function() {
                       <?= $pconfig['language'] ?>
                     </td>
                   </tr>
+                  <tr>
+                    <td><i class="fa fa-info-circle text-muted"></i> <?= gettext('Login shell') ?></td>
+                    <td>
+                      <select name="shell" class="selectpicker" data-style="btn-default">
+<?php
+                      foreach (auth_get_shells() as $shell_key => $shell_value) :?>
+                        <option value="<?= html_safe($shell_key) ?>" <?= $pconfig['shell'] == $shell_key ? 'selected="selected"' : '' ?>><?= $shell_value ?></option>
+<?php
+                      endforeach;?>
+                      </select>
+                    </td>
+                  </tr>
                   <tr>
                     <td><a id="help_for_expires" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Expiration date"); ?></td>
                     <td>