How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)
tinkr at openmailbox.org
Thu Nov 26 16:11:45 AEDT 2015
On 2015-11-26 13:03, Darren Tucker wrote:
> On Thu, Nov 26, 2015 at 3:41 PM, Tinker <tinkr at openmailbox.org> wrote:
>> What I am looking for is an SSHD configuration where every
>> authenticated connection also guaranteedly will lead to a
>> Is this possible?
> I don't think it's possible. Or at least, not in any reasonable way.
> The SSH (v2) protocol can have zero or more channels multiplexed over
> it, and after the connection has been established (and authenticated)
> it is up to the client to request whatever channels it wants.
> Simplifying a little, these channels can be "session" (ie interactive
> shell or non-interactive commands) or port forwards. The client may
> specify zero or more of these channels of either type, and there's
> nothing that requires the client to request a session channel at all
> (eg ssh's -N option). The "session" request is where ForceCommand is
Aha, I understand the protocol level problem.
> You could potentially hack the server to reject forwarding requests
> until it had seen a session request, but that'd break reasonable
> client behaviours.
> What's the objective of this exercise?
The goal is to get a script invoked *at login time*, so that the
authentication only is known to the client after that the script
invocation has completed.
Does that make sense as a usecase? :)
Can it be done?
I understand that it can can be done via PAM, but then PAM is not in all
environments and everyone don't like PAM.
More information about the openssh-unix-dev