How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

Tinker tinkr at
Thu Nov 26 16:11:45 AEDT 2015

On 2015-11-26 13:03, Darren Tucker wrote:
> On Thu, Nov 26, 2015 at 3:41 PM, Tinker <tinkr at> wrote:
>> What I am looking for is an SSHD configuration where every 
>> successfully
>> authenticated connection also guaranteedly will lead to a 
>> ForcedCommand
>> invocation.
> [...]
>> Is this possible?
> I don't think it's possible.  Or at least, not in any reasonable way.
> The SSH (v2) protocol can have zero or more channels multiplexed over
> it, and after the connection has been established (and authenticated)
> it is up to the client to request whatever channels it wants.
> Simplifying a little, these channels can be "session" (ie interactive
> shell or non-interactive commands) or port forwards.  The client may
> specify zero or more of these channels of either type, and there's
> nothing that requires the client to request a session channel at all
> (eg ssh's -N option).  The "session" request is where ForceCommand is
> applied.

Aha, I understand the protocol level problem.

> You could potentially hack the server to reject forwarding requests
> until it had seen a session request, but that'd break reasonable
> client behaviours.
> What's the objective of this exercise?

The goal is to get a script invoked *at login time*, so that the 
authentication only is known to the client after that the script 
invocation has completed.

Does that make sense as a usecase? :)

Can it be done?

I understand that it can can be done via PAM, but then PAM is not in all 
environments and everyone don't like PAM.

More information about the openssh-unix-dev mailing list