How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

Tinker tinkr at
Thu Nov 26 09:16:56 AEDT 2015

On 2015-11-26 06:16, Tinker wrote:
> On 2015-11-26 05:39, Ángel González wrote:
>> On 25/11/15 16:59, Tinker wrote:
>>> Hi!
>>> I tried with all available options to disable forwarding-only 
>>> connections, by:
>>> "AllowAgentForwarding no
>>> AllowTcpForwarding no"
>>> This had no effect, so what I got in effect was dummy connections.
>>> I would like to disable this "class" of connections altogether. The 
>>> outcome will be that all authenticated connections will lead to a 
>>> command, be it /usr/libexec/sftp-server or other.
>>> So something like "ForwardingOnlyConnections on/off".
>>> Would you be interested in adding this to your next release?
>>> Thanks!
>> I don't think the ssh protocols allows that. You first authenticate,
>> and only then you create the different channels. Also, it would be
>> possible to create a pty channel, then a forwarding, then close the
>> first channel.
>> Do you want to allow forwardings for "command connections"?
> Angel,
> Yes - actually my whole problem is that ForceCommand is invoked for
> *all* SSH connections, *except* for the forwarding-only connections.
> Maybe another solution would be to add an option so that ForceCommand
> always is run, e.g. for /bin/noop on all non-SFTP non-shell
> non-command connections.

Ah - kindly let me know how you see that this works currently, and what 
you say about the suggestion?


More information about the openssh-unix-dev mailing list