How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

Tinker tinkr at
Thu Nov 26 16:49:40 AEDT 2015

On 2015-11-26 13:33, Darren Tucker wrote:
> On Thu, Nov 26, 2015 at 4:11 PM, Tinker <tinkr at> wrote:
>> The goal is to get a script invoked *at login time*,
> This part I follow, but having a script run is just a means to an end
> not the end itself.  What is the script going to do?
>> so that the authentication only is known to the client after that the 
>> script invocation
>> has completed.
> I don't quite follow the part about the "authentication being known to
> the client".  You want your command to complete before allowing any
> port forwards?


> Does the result of the script matter?


>> Does that make sense as a usecase? :)
>> Can it be done?
>> I understand that it can can be done via PAM, but then PAM is not in 
>> all
>> environments and everyone don't like PAM.
> PAM or bsdauth are the two obvious ways to do this.

How would you do it using bsdauth?

(PAM seems very redundant to install on OBSD.)

> If you are always
> using public-key authentication, you could possibly abuse
> AuthorizedKeysCommand in sshd_config.

As in key files. Could be partially interesting to know how a 
passthrough script would look for it, but, if an all-encompassing way 
could be worked out it would be better i.e. that supports password 
logins too.

> This sounds a bit like what authpf[1] does.  I imagine you could write
> firewall rules to block outgoing tcp connections from sshd until after
> authpf runs, if that is an option for you.

(That sounds like a very indirect approach, in particular as it would 
cover only some connections?)

> [1]


More information about the openssh-unix-dev mailing list