How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

Darren Tucker dtucker at
Thu Nov 26 18:34:22 AEDT 2015

On Thu, Nov 26, 2015 at 5:23 PM, Tinker <tinkr at> wrote:
> Wait, to PF, isn't the user for all SSH connections "root" (independent of
> what user you log in as)?

Not since privilege separation became the default ten years or so ago:
forwarded TCP connections will come from the unprivileged child sshd
running as the logged-in user.

> Also, how would PF know when an SSH connection became authenticated as to
> trig some rule to run a script, then.

authpf would just be the mechanism for ensuring that they'd sent a
session request, otherwise their outgoing tcp connections coming out
of sshd would get denied by PF.  You could have your script as the
login shell do its thing then exec authpf (or authpf-noip) at the end.

> The object is to get a complete set of registrations of all logins on all
> servers, at auth time, sent by the registration script to the central
> database.
> (If the auth time requirement was not there, adding the script as a "pipe"
> line in syslog.conf could have worked, but I think because it's quite
> indirect it's unpreferable, also not sure if you can get the client IP
> there.)

OK, thanks.  It feels like there should be some way to get a bsdauth
module to do this, but I've never tried anything like this before. I
can't find an obvious equivalent to a PAM session module, I'm not even
sure there is one.  I'll think about it a bit more.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list