Re: How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi Peter,

What I am looking for is an SSHD configuration where every successfully authenticated connection also guaranteedly will lead to a ForcedCommand invocation.


Currently I understand this to be the case only for the connections that open channel to deliver a terminal, command or SFTP (I don't know if you have a collective name for such non-forwarding channels).


Is this possible?

Do you feel that it is a relevant feature?

Thanks,
Tinker

On 2015-11-26 08:10, Peter Stuge wrote:
Tinker wrote:
I tried with all available options to disable forwarding-only
connections, by:

"AllowAgentForwarding no
AllowTcpForwarding no"

This had no effect, so what I got in effect was dummy connections.

The above two options combined with X11Forwarding no added to your
sshd_config will disallow all forwarding.

Please explain what you mean by "dummy" above?


I would like to disable this "class" of connections altogether.

Note that a forwarding is not a connection, but a channel. One
connection can have several channels.


The outcome will be that all authenticated connections will lead to
a command, be it /usr/libexec/sftp-server or other.

The above three options should do just that. If it's not working as
you want then please provide debug log output from the sshd where you
have added the three above configuration statements, when a client
connects to it and is able to open a forwarding channel. That would
be a bug.


//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux