How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

Tinker tinkr at
Thu Nov 26 18:55:57 AEDT 2015

On 2015-11-26 15:34, Darren Tucker wrote:
> On Thu, Nov 26, 2015 at 5:23 PM, Tinker <tinkr at> wrote:
> [...]
>> Wait, to PF, isn't the user for all SSH connections "root" 
>> (independent of
>> what user you log in as)?
> Not since privilege separation became the default ten years or so ago:
> forwarded TCP connections will come from the unprivileged child sshd
> running as the logged-in user.
>> Also, how would PF know when an SSH connection became authenticated as 
>> to
>> trig some rule to run a script, then.
> authpf would just be the mechanism for ensuring that they'd sent a
> session request, otherwise their outgoing tcp connections coming out
> of sshd would get denied by PF.  You could have your script as the
> login shell do its thing then exec authpf (or authpf-noip) at the end.

Can you give an example of the pf.conf line and shellscript, that 
appends the username and remote IP logged in to, to /tmp/logins.txt? 
E.g. echo $user $ip >> /tmp/logins.txt .

An alternative way could be:

>> The object is to get a complete set of registrations of all logins on 
>> all
>> servers, at auth time, sent by the registration script to the central
>> database.
>> (If the auth time requirement was not there, adding the script as a 
>> "pipe"
>> line in syslog.conf could have worked, but I think because it's quite
>> indirect it's unpreferable, also not sure if you can get the client IP
>> there.)
> OK, thanks.  It feels like there should be some way to get a bsdauth
> module to do this, but I've never tried anything like this before. I
> can't find an obvious equivalent to a PAM session module, I'm not even
> sure there is one.  I'll think about it a bit more.

login.conf has an "approve" program option, I guess actually that one 
applies for SSHD logins too?

More information about the openssh-unix-dev mailing list