how to detect (and kill) tunnel-only ssh connections?

[Dan Ritter]

On Mon, Oct 12, 2009 at 09:44:04AM -0700, Dan Kressin wrote:
> Using "ssh -N" or putty's "Don't start a shell or any command at all" checkbox (Connection->SSH), it is possible to open an ssh connection to hostA for tunneling purposes even if the user's shell on hostA is set to nologin (or /bin/false, etc).  As there is no shell or command running, these connections do not appear in the output of w or who.
> 
> How might one detect these connections, assuming they come from a network with other active shell-based connections?
> 
> Platform in question is FreeBSD, but I'm interested in Linux responses also.
> 
> Thanks!
> 
> -Dan
> (FreeBSD's "pw usermod userA -e 1" will expire userA's account, fully disallowing even tunnel-only connections, but existing connections userA might have open are not affected.  I'm essentially looking for a way to ensure cleanup after an account is removed.)

netstat displays open connections. Your version may allow
correctly privileged users to see pids and/or owners of the
connections.

On a Linux box, I would try 'netstat -tnp' to get TCP
connections with IPs and services in numeric form and PIDs if
available.



-dsr-

-- 
http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.
You can't defend freedom by getting rid of it.