How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)
Tinker
tinkr at openmailbox.org
Thu Nov 26 09:16:56 AEDT 2015
On 2015-11-26 06:16, Tinker wrote:
> On 2015-11-26 05:39, Ángel González wrote:
>> On 25/11/15 16:59, Tinker wrote:
>>> Hi!
>>>
>>> I tried with all available options to disable forwarding-only
>>> connections, by:
>>>
>>> "AllowAgentForwarding no
>>> AllowTcpForwarding no"
>>>
>>> This had no effect, so what I got in effect was dummy connections.
>>>
>>> I would like to disable this "class" of connections altogether. The
>>> outcome will be that all authenticated connections will lead to a
>>> command, be it /usr/libexec/sftp-server or other.
>>>
>>> So something like "ForwardingOnlyConnections on/off".
>>>
>>> Would you be interested in adding this to your next release?
>>>
>>> Thanks!
>> I don't think the ssh protocols allows that. You first authenticate,
>> and only then you create the different channels. Also, it would be
>> possible to create a pty channel, then a forwarding, then close the
>> first channel.
>> Do you want to allow forwardings for "command connections"?
>
> Angel,
>
> Yes - actually my whole problem is that ForceCommand is invoked for
> *all* SSH connections, *except* for the forwarding-only connections.
>
> Maybe another solution would be to add an option so that ForceCommand
> always is run, e.g. for /bin/noop on all non-SFTP non-shell
> non-command connections.
Ah - kindly let me know how you see that this works currently, and what
you say about the suggestion?
Thanks
More information about the openssh-unix-dev
mailing list