Connection caching?

Peter Stuge stuge-openssh-unix-dev at cdy.org
Sun May 16 23:22:58 EST 2004


On Sun, May 16, 2004 at 01:44:52PM +0200, Markus Friedl wrote:
> > It is a reasonable expectation for an admin to be able to say: one 
> > successful authentication authorizes only one shell channel.
> 
> i don't think so.
> 
> this one shell can start another multiplexer and you can still
> run multiple shells after one successful authentication (e.g.
> with screen(1) or window(1) or even job control).

Unless it's a restricted/custom shell, in which case the shell can
be tailored to not allow multiplexing.

How can a custom shell check that it hasn't been invoked previously
by the same sshd? I'm thinking getppid() but then there needs to be
records of all running shells stored somewhere.. Yes, that would
work, but enforcing it in sshd has a few benefits; it's earlier, it
works with all shells and it is quite intuitive. There may be more.

We all want better control over what is allowed when, to what user,
perhaps depending on authentication method. This is an already-known
problem in sshd_config, with all of the authentication method
settings for example.

I never got any feedback on my idea about using PAM for all of this,
I'd be happy to hear some comments about why that would be a bad
idea. :)

Hope you're all having a nice weekend!


//Peter




More information about the openssh-unix-dev mailing list