How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

Tinker tinkr at
Thu Nov 26 15:41:25 AEDT 2015

Hi Peter,

What I am looking for is an SSHD configuration where every successfully 
authenticated connection also guaranteedly will lead to a ForcedCommand 

Currently I understand this to be the case only for the connections that 
open channel to deliver a terminal, command or SFTP (I don't know if you 
have a collective name for such non-forwarding channels).

Is this possible?

Do you feel that it is a relevant feature?


On 2015-11-26 08:10, Peter Stuge wrote:
> Tinker wrote:
>> I tried with all available options to disable forwarding-only
>> connections, by:
>> "AllowAgentForwarding no
>> AllowTcpForwarding no"
>> This had no effect, so what I got in effect was dummy connections.
> The above two options combined with X11Forwarding no added to your
> sshd_config will disallow all forwarding.
> Please explain what you mean by "dummy" above?
>> I would like to disable this "class" of connections altogether.
> Note that a forwarding is not a connection, but a channel. One
> connection can have several channels.
>> The outcome will be that all authenticated connections will lead to
>> a command, be it /usr/libexec/sftp-server or other.
> The above three options should do just that. If it's not working as
> you want then please provide debug log output from the sshd where you
> have added the three above configuration statements, when a client
> connects to it and is able to open a forwarding channel. That would
> be a bug.
> //Peter
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list