How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

Tinker tinkr at
Thu Nov 26 09:16:25 AEDT 2015

On 2015-11-26 05:39, Ángel González wrote:
> On 25/11/15 16:59, Tinker wrote:
>> Hi!
>> I tried with all available options to disable forwarding-only 
>> connections, by:
>> "AllowAgentForwarding no
>> AllowTcpForwarding no"
>> This had no effect, so what I got in effect was dummy connections.
>> I would like to disable this "class" of connections altogether. The 
>> outcome will be that all authenticated connections will lead to a 
>> command, be it /usr/libexec/sftp-server or other.
>> So something like "ForwardingOnlyConnections on/off".
>> Would you be interested in adding this to your next release?
>> Thanks!
> I don't think the ssh protocols allows that. You first authenticate,
> and only then you create the different channels. Also, it would be
> possible to create a pty channel, then a forwarding, then close the
> first channel.
> Do you want to allow forwardings for "command connections"?


Yes - actually my whole problem is that ForceCommand is invoked for 
*all* SSH connections, *except* for the forwarding-only connections.

Maybe another solution would be to add an option so that ForceCommand 
always is run, e.g. for /bin/noop on all non-SFTP non-shell non-command 


More information about the openssh-unix-dev mailing list