Re: How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Damien,

Presuming it's actually using BSDauth, I think the most viable option is to use the "approve" program option in login.conf to reach this goal which is to get a command run on every successful SSH auth, to answer your question.

Will need to try it out, will be back here if it does not.

The pf.conf auth user discussed in this thread previously could perhaps work but I think it would be asynchronous.

Thanks,
Tinker

On 2015-11-29 19:17, Damien Miller wrote:
On Wed, 25 Nov 2015, Tinker wrote:

Hi!

I tried with all available options to disable forwarding-only connections, by:

"AllowAgentForwarding no
AllowTcpForwarding no"

This had no effect, so what I got in effect was dummy connections.

I would like to disable this "class" of connections altogether. The outcome will be that all authenticated connections will lead to a command, be it
/usr/libexec/sftp-server or other.

There's no real way to do this in the SSH protocol. After the SSH transport protocol is running and authentication has completed, there's no ironclad way to distinguish between a connection that will never execute a command
from one that's merely slow to do so.

I don't understand why turning off agent/X11/TCP forwarding was no
sufficient for you - could you clarify?

-d

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux