Is there any way to hook the point when channel port listener accepts a new connection?
Peter Stuge
peter at stuge.se
Fri Jan 22 17:24:35 EST 2010
yingyuan cheng wrote:
> After an user is authenticated, he should be authenticated again by
> his interactive shell before starting a tunnel for him. How can I
> fulfill this task? I think I should add a hook when a listening
> channel accepts a new connection.
That doesn't work. There may not be a shell when a port forward
channel request comes.
> Is there easier way?
The SSH protocol doesn't allow extra authentication once the initial
authentication has succeeded. Since a port forward is implemented in
the SSH protocol and has nothing to do with interactive shells you
have to rely only on what is offered by the protocol.
It seems that you control the server side here, so you could add an
optional kbd-int authentication to be performed at initial login, and
add code to test the result of this auth when the port forward
channel open request comes. I know it's not perfect but I suspect
it's the best you can do. :\
//Peter
More information about the openssh-unix-dev
mailing list