 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On 10/12/2009 12:44 PM, Dan Kressin wrote: > Using "ssh -N" or putty's "Don't start a shell or any command at all" checkbox (Connection->SSH), it is possible to open an ssh connection to hostA for tunneling purposes even if the user's shell on hostA is set to nologin (or /bin/false, etc). As there is no shell or command running, these connections do not appear in the output of w or who. > > How might one detect these connections, assuming they come from a network with other active shell-based connections? > > Platform in question is FreeBSD, but I'm interested in Linux responses also. What I'd try is to do a full process listing to get all the 'sshd' processes. Then look through the full process listing for login shell processes whose parent-PID is one of the sshd PIDs. It would work on linux. Can't speak for *BSD. Of course, it's possible for someone to 'detach' their shell from the parent-pid, but people usually don't do that unless they're doing something nefarious (or want to launch a job that's longer-lived than the current tty without using 'screen'). HTH, Matt
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
