How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

Ángel González keisial at
Thu Nov 26 08:39:57 AEDT 2015

On 25/11/15 16:59, Tinker wrote:
> Hi!
> I tried with all available options to disable forwarding-only 
> connections, by:
> "AllowAgentForwarding no
> AllowTcpForwarding no"
> This had no effect, so what I got in effect was dummy connections.
> I would like to disable this "class" of connections altogether. The 
> outcome will be that all authenticated connections will lead to a 
> command, be it /usr/libexec/sftp-server or other.
> So something like "ForwardingOnlyConnections on/off".
> Would you be interested in adding this to your next release?
> Thanks!
I don't think the ssh protocols allows that. You first authenticate, and 
only then you create the different channels. Also, it would be possible 
to create a pty channel, then a forwarding, then close the first channel.
Do you want to allow forwardings for "command connections"?

More information about the openssh-unix-dev mailing list