How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

Darren Tucker dtucker at
Thu Nov 26 16:03:10 AEDT 2015

On Thu, Nov 26, 2015 at 3:41 PM, Tinker <tinkr at> wrote:
> What I am looking for is an SSHD configuration where every successfully
> authenticated connection also guaranteedly will lead to a ForcedCommand
> invocation.
> Is this possible?

I don't think it's possible.  Or at least, not in any reasonable way.

The SSH (v2) protocol can have zero or more channels multiplexed over
it, and after the connection has been established (and authenticated)
it is up to the client to request whatever channels it wants.

Simplifying a little, these channels can be "session" (ie interactive
shell or non-interactive commands) or port forwards.  The client may
specify zero or more of these channels of either type, and there's
nothing that requires the client to request a session channel at all
(eg ssh's -N option).  The "session" request is where ForceCommand is

You could potentially hack the server to reject forwarding requests
until it had seen a session request, but that'd break reasonable
client behaviours.

What's the objective of this exercise?

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list