How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)
Darren Tucker
dtucker at zip.com.au
Thu Nov 26 16:33:10 AEDT 2015
On Thu, Nov 26, 2015 at 4:11 PM, Tinker <tinkr at openmailbox.org> wrote:
> The goal is to get a script invoked *at login time*,
This part I follow, but having a script run is just a means to an end
not the end itself. What is the script going to do?
> so that the authentication only is known to the client after that the script invocation
> has completed.
I don't quite follow the part about the "authentication being known to
the client". You want your command to complete before allowing any
port forwards? Does the result of the script matter?
> Does that make sense as a usecase? :)
>
> Can it be done?
>
> I understand that it can can be done via PAM, but then PAM is not in all
> environments and everyone don't like PAM.
PAM or bsdauth are the two obvious ways to do this. If you are always
using public-key authentication, you could possibly abuse
AuthorizedKeysCommand in sshd_config.
This sounds a bit like what authpf[1] does. I imagine you could write
firewall rules to block outgoing tcp connections from sshd until after
authpf runs, if that is an option for you.
[1] http://www.openbsd.org/faq/pf/authpf.html
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list