On Thu, Nov 26, 2015 at 4:11 PM, Tinker <tinkr@xxxxxxxxxxxxxxx> wrote: > The goal is to get a script invoked *at login time*, This part I follow, but having a script run is just a means to an end not the end itself. What is the script going to do? > so that the authentication only is known to the client after that the script invocation > has completed. I don't quite follow the part about the "authentication being known to the client". You want your command to complete before allowing any port forwards? Does the result of the script matter? > Does that make sense as a usecase? :) > > Can it be done? > > I understand that it can can be done via PAM, but then PAM is not in all > environments and everyone don't like PAM. PAM or bsdauth are the two obvious ways to do this. If you are always using public-key authentication, you could possibly abuse AuthorizedKeysCommand in sshd_config. This sounds a bit like what authpf[1] does. I imagine you could write firewall rules to block outgoing tcp connections from sshd until after authpf runs, if that is an option for you. [1] http://www.openbsd.org/faq/pf/authpf.html -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev