BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

how to detect (and kill) tunnel-only ssh connections?

Subject: how to detect (and kill) tunnel-only ssh connections?
From: abreauj-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org (John Abreau)
Date: Tue, 13 Oct 2009 14:19:35 -0400
In-reply-to: <4AD37705.7090701-mNDKBlG2WHs@public.gmane.org>
References: <992693.15210.qm@web51908.mail.re2.yahoo.com> <4AD37705.7090701@blu.org>

The question is whether the OpenBSD user expiration merely
disables the user account, or actually deletes it.  This thread
seems to be asuming the user is deleted and not just disabled.

But I would expect "expired" would just disable the user account.
Otherwise, why not just say "deleted" in the first place?

OP referenced the command

    pw usermod userA -e 1

Googling the pw manpage fow PW doesn't clarify what "expire"
actually does. However, the command

    pw userdel -n userA -r

is the proper way to delete a user. I would expect "expire" will
simply disable the user account, but it should still exist in
/etc/passwd.



On Mon, Oct 12, 2009 at 2:35 PM, Jerry Feldman <gaf-mNDKBlG2WHs at public.gmane.org> wrote:
> On 10/12/2009 12:44 PM, Dan Kressin wrote:
>> Using "ssh -N" or putty's "Don't start a shell or any command at all" checkbox (Connection->SSH), it is possible to open an ssh connection to hostA for tunneling purposes even if the user's shell on hostA is set to nologin (or /bin/false, etc). ?As there is no shell or command running, these connections do not appear in the output of w or who.
>>
>> How might one detect these connections, assuming they come from a network with other active shell-based connections?
>>
>> Platform in question is FreeBSD, but I'm interested in Linux responses also.
>>
>>
> This is a tunnel connection on my home system from running an X tunnel
> with no terminal:
> gaf ? ? ? 5384 ?5381 ?0 09:02 ? ? ? ? ?00:00:09 sshd: gaf at notty
>
> Basically, on the above question, I would simply look for anything owned
> by the user who has been removed although I'm not sure how ps would show
> the entry if there is no corresponding password entry.
>
>
> --
> Jerry Feldman <gaf-mNDKBlG2WHs at public.gmane.org>
> Boston Linux and Unix
> PGP key id: 537C5846
> PGP Key fingerprint: 3D1B 8377 A3C0 A5F2 ECBB ?CA3B 4607 4319 537C 5846
>
>
>
> _______________________________________________
> Discuss mailing list
> Discuss-mNDKBlG2WHs at public.gmane.org
> http://lists.blu.org/mailman/listinfo/discuss
>
>



-- 
John Abreau / Executive Director, Boston Linux & Unix
GnuPG KeyID: 0xD5C7B5D9 / Email: abreauj-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
GnuPG FP: 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99

References:
- how to detect (and kill) tunnel-only ssh connections?
  - From: gaf-mNDKBlG2WHs at public.gmane.org (Jerry Feldman)

Prev by Date: [OT] Seeking IT Operations Engineer/Linux Admin
Next by Date: how to detect (and kill) tunnel-only ssh connections?
Previous by thread: how to detect (and kill) tunnel-only ssh connections?
Next by thread: how to detect (and kill) tunnel-only ssh connections?
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org