Damien,
Presuming it's actually using BSDauth, I think the most viable option is
to use the "approve" program option in login.conf to reach this goal
which is to get a command run on every successful SSH auth, to answer
your question.
Will need to try it out, will be back here if it does not.
The pf.conf auth user discussed in this thread previously could perhaps
work but I think it would be asynchronous.
Thanks,
Tinker
On 2015-11-29 19:17, Damien Miller wrote:
On Wed, 25 Nov 2015, Tinker wrote:
Hi!
I tried with all available options to disable forwarding-only
connections, by:
"AllowAgentForwarding no
AllowTcpForwarding no"
This had no effect, so what I got in effect was dummy connections.
I would like to disable this "class" of connections altogether. The
outcome
will be that all authenticated connections will lead to a command, be
it
/usr/libexec/sftp-server or other.
There's no real way to do this in the SSH protocol. After the SSH
transport
protocol is running and authentication has completed, there's no
ironclad
way to distinguish between a connection that will never execute a
command
from one that's merely slow to do so.
I don't understand why turning off agent/X11/TCP forwarding was no
sufficient for you - could you clarify?
-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev