openssh unix dev - Jan 2010 - Is there any way to hook the point when channel port listener accepts a new connection?

After an user is authenticated, he should be authenticated again by
his interactive shell before starting a tunnel for him. How can I
fulfill this task? I think I should add a hook when a listening
channel accepts a new connection. Is there easier way?

Thanks.

leo

yingyuan cheng wrote:
> After an user is authenticated, he should be authenticated again by
> his interactive shell before starting a tunnel for him. How can I
> fulfill this task? I think I should add a hook when a listening
> channel accepts a new connection.
That doesn't work. There may not be a shell when a port forward
channel request comes.

> Is there easier way?
The SSH protocol doesn't allow extra authentication once the initial
authentication has succeeded. Since a port forward is implemented in
the SSH protocol and has nothing to do with interactive shells you
have to rely only on what is offered by the protocol.

It seems that you control the server side here, so you could add an
optional kbd-int authentication to be performed at initial login, and
add code to test the result of this auth when the port forward
channel open request comes. I know it's not perfect but I suspect
it's the best you can do. :\


//Peter

If no login shell existing when  a forwarding request coming, is it
possible to ignore or close the coming request?

I want to use one system account to provide tunnels for hundreds of
users, how can I make things easier?

Thanks.

2010/1/22 Peter Stuge <peter at stuge.se>:
> yingyuan cheng wrote:
>> To correlate forwarding channel to login shell,
>
> The point I tried to make is that you can not expect any login shell
> to exist when the request for the forwarding channel arrives.
>
>
> //Peter
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>