How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)
tinkr at openmailbox.org
Thu Nov 26 16:49:40 AEDT 2015
On 2015-11-26 13:33, Darren Tucker wrote:
> On Thu, Nov 26, 2015 at 4:11 PM, Tinker <tinkr at openmailbox.org> wrote:
>> The goal is to get a script invoked *at login time*,
> This part I follow, but having a script run is just a means to an end
> not the end itself. What is the script going to do?
>> so that the authentication only is known to the client after that the
>> script invocation
>> has completed.
> I don't quite follow the part about the "authentication being known to
> the client". You want your command to complete before allowing any
> port forwards?
> Does the result of the script matter?
>> Does that make sense as a usecase? :)
>> Can it be done?
>> I understand that it can can be done via PAM, but then PAM is not in
>> environments and everyone don't like PAM.
> PAM or bsdauth are the two obvious ways to do this.
How would you do it using bsdauth?
(PAM seems very redundant to install on OBSD.)
> If you are always
> using public-key authentication, you could possibly abuse
> AuthorizedKeysCommand in sshd_config.
As in key files. Could be partially interesting to know how a
passthrough script would look for it, but, if an all-encompassing way
could be worked out it would be better i.e. that supports password
> This sounds a bit like what authpf does. I imagine you could write
> firewall rules to block outgoing tcp connections from sshd until after
> authpf runs, if that is an option for you.
(That sounds like a very indirect approach, in particular as it would
cover only some connections?)
>  http://www.openbsd.org/faq/pf/authpf.html
More information about the openssh-unix-dev