How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

Darren Tucker dtucker at
Thu Nov 26 16:33:10 AEDT 2015

On Thu, Nov 26, 2015 at 4:11 PM, Tinker <tinkr at> wrote:
> The goal is to get a script invoked *at login time*,

This part I follow, but having a script run is just a means to an end
not the end itself.  What is the script going to do?

> so that the authentication only is known to the client after that the script invocation
> has completed.

I don't quite follow the part about the "authentication being known to
the client".  You want your command to complete before allowing any
port forwards?  Does the result of the script matter?

> Does that make sense as a usecase? :)
> Can it be done?
> I understand that it can can be done via PAM, but then PAM is not in all
> environments and everyone don't like PAM.

PAM or bsdauth are the two obvious ways to do this.  If you are always
using public-key authentication, you could possibly abuse
AuthorizedKeysCommand in sshd_config.

This sounds a bit like what authpf[1] does.  I imagine you could write
firewall rules to block outgoing tcp connections from sshd until after
authpf runs, if that is an option for you.


Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list