How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

Tinker tinkr at
Thu Nov 26 17:23:45 AEDT 2015

On 2015-11-26 14:16, Darren Tucker wrote:
> On Thu, Nov 26, 2015 at 4:49 PM, Tinker <tinkr at> wrote:
>> On 2015-11-26 13:33, Darren Tucker wrote:
> [...]
>>>  What is the script going to do?
> You didn't answer this.

Register the login to the group's login database.

>> How would you do it using bsdauth?
>> (PAM seems very redundant to install on OBSD.)
> You are using OpenBSD or something else?


> [...]
>>> This sounds a bit like what authpf[1] does.  I imagine you could 
>>> write
>>> firewall rules to block outgoing tcp connections from sshd until 
>>> after
>>> authpf runs, if that is an option for you.
>> (That sounds like a very indirect approach, in particular as it would 
>> cover
>> only some connections?)
> Assuming you write the PF rules to do so you should be able to match
> local processes (using "user" rules and the $user_id authpf macro) as
> well as connections from the IP address they're logging in as (using
> "from" rules and $user_ip macro).

Wait, to PF, isn't the user for all SSH connections "root" (independent 
of what user you log in as)?

Also, how would PF know when an SSH connection became authenticated as 
to trig some rule to run a script, then.

> But all of this is speculative because you still have not described
> what the objective of this exercise is.

The object is to get a complete set of registrations of all logins on 
all servers, at auth time, sent by the registration script to the 
central database.

(If the auth time requirement was not there, adding the script as a 
"pipe" line in syslog.conf could have worked, but I think because it's 
quite indirect it's unpreferable, also not sure if you can get the 
client IP there.)

More information about the openssh-unix-dev mailing list