On 2015-11-26 13:03, Darren Tucker wrote:
On Thu, Nov 26, 2015 at 3:41 PM, Tinker <tinkr@xxxxxxxxxxxxxxx> wrote:
What I am looking for is an SSHD configuration where every
successfully
authenticated connection also guaranteedly will lead to a
ForcedCommand
invocation.
[...]
Is this possible?
I don't think it's possible. Or at least, not in any reasonable way.
The SSH (v2) protocol can have zero or more channels multiplexed over
it, and after the connection has been established (and authenticated)
it is up to the client to request whatever channels it wants.
Simplifying a little, these channels can be "session" (ie interactive
shell or non-interactive commands) or port forwards. The client may
specify zero or more of these channels of either type, and there's
nothing that requires the client to request a session channel at all
(eg ssh's -N option). The "session" request is where ForceCommand is
applied.
Aha, I understand the protocol level problem.
You could potentially hack the server to reject forwarding requests
until it had seen a session request, but that'd break reasonable
client behaviours.
What's the objective of this exercise?
The goal is to get a script invoked *at login time*, so that the
authentication only is known to the client after that the script
invocation has completed.
Does that make sense as a usecase? :)
Can it be done?
I understand that it can can be done via PAM, but then PAM is not in all
environments and everyone don't like PAM.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
