how to detect (and kill) tunnel-only ssh connections?
John Abreau
abreauj-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Tue Oct 13 14:19:35 EDT 2009
The question is whether the OpenBSD user expiration merely
disables the user account, or actually deletes it. This thread
seems to be asuming the user is deleted and not just disabled.
But I would expect "expired" would just disable the user account.
Otherwise, why not just say "deleted" in the first place?
OP referenced the command
pw usermod userA -e 1
Googling the pw manpage fow PW doesn't clarify what "expire"
actually does. However, the command
pw userdel -n userA -r
is the proper way to delete a user. I would expect "expire" will
simply disable the user account, but it should still exist in
/etc/passwd.
On Mon, Oct 12, 2009 at 2:35 PM, Jerry Feldman <gaf-mNDKBlG2WHs at public.gmane.org> wrote:
> On 10/12/2009 12:44 PM, Dan Kressin wrote:
>> Using "ssh -N" or putty's "Don't start a shell or any command at all" checkbox (Connection->SSH), it is possible to open an ssh connection to hostA for tunneling purposes even if the user's shell on hostA is set to nologin (or /bin/false, etc). As there is no shell or command running, these connections do not appear in the output of w or who.
>>
>> How might one detect these connections, assuming they come from a network with other active shell-based connections?
>>
>> Platform in question is FreeBSD, but I'm interested in Linux responses also.
>>
>>
> This is a tunnel connection on my home system from running an X tunnel
> with no terminal:
> gaf 5384 5381 0 09:02 ? 00:00:09 sshd: gaf at notty
>
> Basically, on the above question, I would simply look for anything owned
> by the user who has been removed although I'm not sure how ps would show
> the entry if there is no corresponding password entry.
>
>
> --
> Jerry Feldman <gaf-mNDKBlG2WHs at public.gmane.org>
> Boston Linux and Unix
> PGP key id: 537C5846
> PGP Key fingerprint: 3D1B 8377 A3C0 A5F2 ECBB CA3B 4607 4319 537C 5846
>
>
>
> _______________________________________________
> Discuss mailing list
> Discuss-mNDKBlG2WHs at public.gmane.org
> http://lists.blu.org/mailman/listinfo/discuss
>
>
--
John Abreau / Executive Director, Boston Linux & Unix
GnuPG KeyID: 0xD5C7B5D9 / Email: abreauj-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
GnuPG FP: 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99
More information about the Discuss
mailing list