How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

Tinker tinkr at openmailbox.org
Thu Nov 26 15:41:25 AEDT 2015


Hi Peter,

What I am looking for is an SSHD configuration where every successfully 
authenticated connection also guaranteedly will lead to a ForcedCommand 
invocation.


Currently I understand this to be the case only for the connections that 
open channel to deliver a terminal, command or SFTP (I don't know if you 
have a collective name for such non-forwarding channels).


Is this possible?

Do you feel that it is a relevant feature?

Thanks,
Tinker

On 2015-11-26 08:10, Peter Stuge wrote:
> Tinker wrote:
>> I tried with all available options to disable forwarding-only
>> connections, by:
>> 
>> "AllowAgentForwarding no
>> AllowTcpForwarding no"
>> 
>> This had no effect, so what I got in effect was dummy connections.
> 
> The above two options combined with X11Forwarding no added to your
> sshd_config will disallow all forwarding.
> 
> Please explain what you mean by "dummy" above?
> 
> 
>> I would like to disable this "class" of connections altogether.
> 
> Note that a forwarding is not a connection, but a channel. One
> connection can have several channels.
> 
> 
>> The outcome will be that all authenticated connections will lead to
>> a command, be it /usr/libexec/sftp-server or other.
> 
> The above three options should do just that. If it's not working as
> you want then please provide debug log output from the sshd where you
> have added the three above configuration statements, when a client
> connects to it and is able to open a forwarding channel. That would
> be a bug.
> 
> 
> //Peter
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



More information about the openssh-unix-dev mailing list