openssh unix dev - Nov 2015 - How disable forwarding-only connections (i.e. non-shell/command non-sftp connections)? (Maybe this is a feature request!)

Hi!

I tried with all available options to disable forwarding-only 
connections, by:

"AllowAgentForwarding no
AllowTcpForwarding no"

This had no effect, so what I got in effect was dummy connections.

I would like to disable this "class" of connections altogether. The 
outcome will be that all authenticated connections will lead to a 
command, be it /usr/libexec/sftp-server or other.

So something like "ForwardingOnlyConnections on/off".

Would you be interested in adding this to your next release?

Thanks!

On 25/11/15 16:59, Tinker wrote:
> Hi!
>
> I tried with all available options to disable forwarding-only 
> connections, by:
>
> "AllowAgentForwarding no
> AllowTcpForwarding no"
>
> This had no effect, so what I got in effect was dummy connections.
>
> I would like to disable this "class" of connections altogether.
The
> outcome will be that all authenticated connections will lead to a 
> command, be it /usr/libexec/sftp-server or other.
>
> So something like "ForwardingOnlyConnections on/off".
>
> Would you be interested in adding this to your next release?
>
> Thanks!
I don't think the ssh protocols allows that. You first authenticate, and 
only then you create the different channels. Also, it would be possible 
to create a pty channel, then a forwarding, then close the first channel.
Do you want to allow forwardings for "command connections"?

On 2015-11-26 05:39, ?ngel Gonz?lez wrote:
> On 25/11/15 16:59, Tinker wrote:
>> Hi!
>> 
>> I tried with all available options to disable forwarding-only 
>> connections, by:
>> 
>> "AllowAgentForwarding no
>> AllowTcpForwarding no"
>> 
>> This had no effect, so what I got in effect was dummy connections.
>> 
>> I would like to disable this "class" of connections
altogether. The
>> outcome will be that all authenticated connections will lead to a 
>> command, be it /usr/libexec/sftp-server or other.
>> 
>> So something like "ForwardingOnlyConnections on/off".
>> 
>> Would you be interested in adding this to your next release?
>> 
>> Thanks!
> I don't think the ssh protocols allows that. You first authenticate,
> and only then you create the different channels. Also, it would be
> possible to create a pty channel, then a forwarding, then close the
> first channel.
> Do you want to allow forwardings for "command connections"?
Angel,

Yes - actually my whole problem is that ForceCommand is invoked for 
*all* SSH connections, *except* for the forwarding-only connections.

Maybe another solution would be to add an option so that ForceCommand 
always is run, e.g. for /bin/noop on all non-SFTP non-shell non-command 
connections.

Thanks!

Tinker wrote:
> I tried with all available options to disable forwarding-only
> connections, by:
>
> "AllowAgentForwarding no
> AllowTcpForwarding no"
>
> This had no effect, so what I got in effect was dummy connections.
The above two options combined with X11Forwarding no added to your
sshd_config will disallow all forwarding.

Please explain what you mean by "dummy" above?

> I would like to disable this "class" of connections altogether.
Note that a forwarding is not a connection, but a channel. One
connection can have several channels.

> The outcome will be that all authenticated connections will lead to
> a command, be it /usr/libexec/sftp-server or other.
The above three options should do just that. If it's not working as
you want then please provide debug log output from the sshd where you
have added the three above configuration statements, when a client
connects to it and is able to open a forwarding channel. That would
be a bug.


//Peter

Hi Peter,

What I am looking for is an SSHD configuration where every successfully 
authenticated connection also guaranteedly will lead to a ForcedCommand 
invocation.


Currently I understand this to be the case only for the connections that 
open channel to deliver a terminal, command or SFTP (I don't know if you 
have a collective name for such non-forwarding channels).


Is this possible?

Do you feel that it is a relevant feature?

Thanks,
Tinker

On 2015-11-26 08:10, Peter Stuge wrote:
> Tinker wrote:
>> I tried with all available options to disable forwarding-only
>> connections, by:
>> 
>> "AllowAgentForwarding no
>> AllowTcpForwarding no"
>> 
>> This had no effect, so what I got in effect was dummy connections.
> 
> The above two options combined with X11Forwarding no added to your
> sshd_config will disallow all forwarding.
> 
> Please explain what you mean by "dummy" above?
> 
> 
>> I would like to disable this "class" of connections
altogether.
> 
> Note that a forwarding is not a connection, but a channel. One
> connection can have several channels.
> 
> 
>> The outcome will be that all authenticated connections will lead to
>> a command, be it /usr/libexec/sftp-server or other.
> 
> The above three options should do just that. If it's not working as
> you want then please provide debug log output from the sshd where you
> have added the three above configuration statements, when a client
> connects to it and is able to open a forwarding channel. That would
> be a bug.
> 
> 
> //Peter
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Wed, 25 Nov 2015, Tinker wrote:
> Hi!
> 
> I tried with all available options to disable forwarding-only connections,
by:
> 
> "AllowAgentForwarding no
> AllowTcpForwarding no"
> 
> This had no effect, so what I got in effect was dummy connections.
> 
> I would like to disable this "class" of connections altogether.
The outcome
> will be that all authenticated connections will lead to a command, be it
> /usr/libexec/sftp-server or other.
There's no real way to do this in the SSH protocol. After the SSH transport
protocol is running and authentication has completed, there's no ironclad
way to distinguish between a connection that will never execute a command
from one that's merely slow to do so.

I don't understand why turning off agent/X11/TCP forwarding was no
sufficient for you - could you clarify?

-d

Damien,

Presuming it's actually using BSDauth, I think the most viable option is 
to use the "approve" program option in login.conf to reach this goal 
which is to get a command run on every successful SSH auth, to answer 
your question.

Will need to try it out, will be back here if it does not.

The pf.conf auth user discussed in this thread previously could perhaps 
work but I think it would be asynchronous.

Thanks,
Tinker

On 2015-11-29 19:17, Damien Miller wrote:
> On Wed, 25 Nov 2015, Tinker wrote:
> 
>> Hi!
>> 
>> I tried with all available options to disable forwarding-only 
>> connections, by:
>> 
>> "AllowAgentForwarding no
>> AllowTcpForwarding no"
>> 
>> This had no effect, so what I got in effect was dummy connections.
>> 
>> I would like to disable this "class" of connections
altogether. The
>> outcome
>> will be that all authenticated connections will lead to a command, be 
>> it
>> /usr/libexec/sftp-server or other.
> 
> There's no real way to do this in the SSH protocol. After the SSH 
> transport
> protocol is running and authentication has completed, there's no 
> ironclad
> way to distinguish between a connection that will never execute a 
> command
> from one that's merely slow to do so.
> 
> I don't understand why turning off agent/X11/TCP forwarding was no
> sufficient for you - could you clarify?
> 
> -d
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev