On Thu, Nov 26, 2015 at 3:41 PM, Tinker <tinkr@xxxxxxxxxxxxxxx> wrote: > What I am looking for is an SSHD configuration where every successfully > authenticated connection also guaranteedly will lead to a ForcedCommand > invocation. [...] > Is this possible? I don't think it's possible. Or at least, not in any reasonable way. The SSH (v2) protocol can have zero or more channels multiplexed over it, and after the connection has been established (and authenticated) it is up to the client to request whatever channels it wants. Simplifying a little, these channels can be "session" (ie interactive shell or non-interactive commands) or port forwards. The client may specify zero or more of these channels of either type, and there's nothing that requires the client to request a session channel at all (eg ssh's -N option). The "session" request is where ForceCommand is applied. You could potentially hack the server to reject forwarding requests until it had seen a session request, but that'd break reasonable client behaviours. What's the objective of this exercise? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev