How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

Tinker tinkr at
Sun Nov 29 22:36:45 AEDT 2015


Presuming it's actually using BSDauth, I think the most viable option is 
to use the "approve" program option in login.conf to reach this goal 
which is to get a command run on every successful SSH auth, to answer 
your question.

Will need to try it out, will be back here if it does not.

The pf.conf auth user discussed in this thread previously could perhaps 
work but I think it would be asynchronous.


On 2015-11-29 19:17, Damien Miller wrote:
> On Wed, 25 Nov 2015, Tinker wrote:
>> Hi!
>> I tried with all available options to disable forwarding-only 
>> connections, by:
>> "AllowAgentForwarding no
>> AllowTcpForwarding no"
>> This had no effect, so what I got in effect was dummy connections.
>> I would like to disable this "class" of connections altogether. The 
>> outcome
>> will be that all authenticated connections will lead to a command, be 
>> it
>> /usr/libexec/sftp-server or other.
> There's no real way to do this in the SSH protocol. After the SSH 
> transport
> protocol is running and authentication has completed, there's no 
> ironclad
> way to distinguish between a connection that will never execute a 
> command
> from one that's merely slow to do so.
> I don't understand why turning off agent/X11/TCP forwarding was no
> sufficient for you - could you clarify?
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list