How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

Peter Stuge peter at
Thu Nov 26 11:10:21 AEDT 2015

Tinker wrote:
> I tried with all available options to disable forwarding-only
> connections, by:
> "AllowAgentForwarding no
> AllowTcpForwarding no"
> This had no effect, so what I got in effect was dummy connections.

The above two options combined with X11Forwarding no added to your
sshd_config will disallow all forwarding.

Please explain what you mean by "dummy" above?

> I would like to disable this "class" of connections altogether.

Note that a forwarding is not a connection, but a channel. One
connection can have several channels.

> The outcome will be that all authenticated connections will lead to
> a command, be it /usr/libexec/sftp-server or other.

The above three options should do just that. If it's not working as
you want then please provide debug log output from the sshd where you
have added the three above configuration statements, when a client
connects to it and is able to open a forwarding channel. That would
be a bug.


More information about the openssh-unix-dev mailing list