How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

Damien Miller djm at
Sun Nov 29 22:17:21 AEDT 2015

On Wed, 25 Nov 2015, Tinker wrote:

> Hi!
> I tried with all available options to disable forwarding-only connections, by:
> "AllowAgentForwarding no
> AllowTcpForwarding no"
> This had no effect, so what I got in effect was dummy connections.
> I would like to disable this "class" of connections altogether. The outcome
> will be that all authenticated connections will lead to a command, be it
> /usr/libexec/sftp-server or other.

There's no real way to do this in the SSH protocol. After the SSH transport
protocol is running and authentication has completed, there's no ironclad
way to distinguish between a connection that will never execute a command
from one that's merely slow to do so.

I don't understand why turning off agent/X11/TCP forwarding was no
sufficient for you - could you clarify?


More information about the openssh-unix-dev mailing list