On Fri, Aug 21, 2009 at 10:34:05PM +0800, Uwe Dippel wrote: > Paul de Weerd wrote: >> >> You could check for the presence of forwarded TCP sessions with fstat, >> an exmaple looks like this : >> >> weerd sshd 29016 11* internet stream tcp 0x40009ab33d0 >> 127.0.0.1:44410 --> 127.0.0.1:3128 >> >> If you open an ssh session to a remote machine with a forwarded port, >> then open the forwarded port and once the connection over the >> forwarded port has been established ^D the initial session, you'll get >> the behaviour you just described. The established TCP session over the >> forwarded connection keeps the SSH session alive but the user is shown >> as logged out (and no processes show other than the sshd's you >> mentioned). >> > > Now I am pretty sure that this is what we see here. > It also makes sense, since all those users sit on a tightly controlled > LAN; while that machine is 'further out'. So that restricted services > can be accessed through some tunneling. > Now: How to prevent it?? I have hundreds of users, who can log on from > hundreds of machines, and all need access to ssh, and easily 30 at the > same time. > So, filtering IP addresses is out, nologin is out, no ssh is out. > Of course, I can politely ask, but I would not necessarily trust it to > be followed. I'd much rather disallow it technically. At least, have an > easy access to the record (e.g. in 'last'). But since it doesn't require > logon, what to do? And how to prevent this?? > > Any suggestion appreciated, > Turn off ssh forwarding? set AllowTcpForwarding to no, in your sshd_config.
Of course, with a bit of effort and some netcat, the user will probably still be able to turn a normal connection into forwarding, but this should at least make it more difficult. > Uwe > > -- --
