 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
On Mon, Oct 12, 2009 at 09:44:04AM -0700, Dan Kressin wrote: > Using "ssh -N" or putty's "Don't start a shell or any command at all" checkbox (Connection->SSH), it is possible to open an ssh connection to hostA for tunneling purposes even if the user's shell on hostA is set to nologin (or /bin/false, etc). As there is no shell or command running, these connections do not appear in the output of w or who. > > How might one detect these connections, assuming they come from a network with other active shell-based connections? > > Platform in question is FreeBSD, but I'm interested in Linux responses also. > > Thanks! > > -Dan > (FreeBSD's "pw usermod userA -e 1" will expire userA's account, fully disallowing even tunnel-only connections, but existing connections userA might have open are not affected. I'm essentially looking for a way to ensure cleanup after an account is removed.) netstat displays open connections. Your version may allow correctly privileged users to see pids and/or owners of the connections. On a Linux box, I would try 'netstat -tnp' to get TCP connections with IPs and services in numeric form and PIDs if available. -dsr- -- http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference. You can't defend freedom by getting rid of it.
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
