Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

how to detect (and kill) tunnel-only ssh connections?



On 10/12/2009 12:44 PM, Dan Kressin wrote:
> Using "ssh -N" or putty's "Don't start a shell or any command at all" c=
heckbox (Connection->SSH), it is possible to open an ssh connection to ho=
stA for tunneling purposes even if the user's shell on hostA is set to no=
login (or /bin/false, etc).  As there is no shell or command running, the=
se connections do not appear in the output of w or who.
>
> How might one detect these connections, assuming they come from a netwo=
rk with other active shell-based connections?
>
> Platform in question is FreeBSD, but I'm interested in Linux responses =
also.
>
>  =20
This is a tunnel connection on my home system from running an X tunnel
with no terminal:
gaf       5384  5381  0 09:02 ?        00:00:09 sshd: gaf at notty=20

Basically, on the above question, I would simply look for anything owned
by the user who has been removed although I'm not sure how ps would show
the entry if there is no corresponding password entry.


--=20
Jerry Feldman <gaf-mNDKBlG2WHs at public.gmane.org>
Boston Linux and Unix
PGP key id: 537C5846
PGP Key fingerprint: 3D1B 8377 A3C0 A5F2 ECBB  CA3B 4607 4319 537C 5846








BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org