How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)
tinkr at openmailbox.org
Sun Nov 29 22:36:45 AEDT 2015
Presuming it's actually using BSDauth, I think the most viable option is
to use the "approve" program option in login.conf to reach this goal
which is to get a command run on every successful SSH auth, to answer
Will need to try it out, will be back here if it does not.
The pf.conf auth user discussed in this thread previously could perhaps
work but I think it would be asynchronous.
On 2015-11-29 19:17, Damien Miller wrote:
> On Wed, 25 Nov 2015, Tinker wrote:
>> I tried with all available options to disable forwarding-only
>> connections, by:
>> "AllowAgentForwarding no
>> AllowTcpForwarding no"
>> This had no effect, so what I got in effect was dummy connections.
>> I would like to disable this "class" of connections altogether. The
>> will be that all authenticated connections will lead to a command, be
>> /usr/libexec/sftp-server or other.
> There's no real way to do this in the SSH protocol. After the SSH
> protocol is running and authentication has completed, there's no
> way to distinguish between a connection that will never execute a
> from one that's merely slow to do so.
> I don't understand why turning off agent/X11/TCP forwarding was no
> sufficient for you - could you clarify?
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
More information about the openssh-unix-dev