How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)
tinkr at openmailbox.org
Thu Nov 26 09:16:25 AEDT 2015
On 2015-11-26 05:39, Ángel González wrote:
> On 25/11/15 16:59, Tinker wrote:
>> I tried with all available options to disable forwarding-only
>> connections, by:
>> "AllowAgentForwarding no
>> AllowTcpForwarding no"
>> This had no effect, so what I got in effect was dummy connections.
>> I would like to disable this "class" of connections altogether. The
>> outcome will be that all authenticated connections will lead to a
>> command, be it /usr/libexec/sftp-server or other.
>> So something like "ForwardingOnlyConnections on/off".
>> Would you be interested in adding this to your next release?
> I don't think the ssh protocols allows that. You first authenticate,
> and only then you create the different channels. Also, it would be
> possible to create a pty channel, then a forwarding, then close the
> first channel.
> Do you want to allow forwardings for "command connections"?
Yes - actually my whole problem is that ForceCommand is invoked for
*all* SSH connections, *except* for the forwarding-only connections.
Maybe another solution would be to add an option so that ForceCommand
always is run, e.g. for /bin/noop on all non-SFTP non-shell non-command
More information about the openssh-unix-dev