bugzilla-daemon at bugzilla.mindrot.org
2015-Nov-18 20:07 UTC
[Bug 2499] New: It would be nice to have a tool to manage ssh connections
https://bugzilla.mindrot.org/show_bug.cgi?id=2499
Bug ID: 2499
Summary: It would be nice to have a tool to manage ssh
connections
Product: Portable OpenSSH
Version: 7.1p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: renich at woralelandia.com
A tool for managing ssh connections is needed.
For example, when you have a user compromised and wish to kill a
certain connection and not the user.
Example case: postgres
Let's say you enable ssh login for postgres; key based. For some
reason, the user gets compomised and you end up with somebody
connecting from outside, using the postgres user.
You don't want to kill the user because the DBs are running on it; just
close the intruder's connection and disable ssh for the postgres user.
Example: shared root
Sometimes, several users have ssh access to a server. You might want to
kill a connection just because that user is not supposed to be logged
in at that time; while blocking his IP.
In this case, you don't want to pkill the root user. You just want to
close that particular ssh connection and have the user explain what was
he/she doing at the time.
Example: timed connections
It would be cool to allow ssh connections at certain dates and hours. A
user might need to connect only during work hours. Disallowing
connections after that would be awesome.
In any case, a connection management tool could be very useful.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Dec-11 03:41 UTC
[Bug 2499] It would be nice to have a tool to manage ssh connections
https://bugzilla.mindrot.org/show_bug.cgi?id=2499
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WONTFIX
Status|NEW |RESOLVED
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
We don't plan on offering any connection management tool - generally
we'd like to make the existing unix toolset do this job. Mostly, it
does.
For your first example, you can kill ssh session by user by looking at
the process list. Active session list the username, e.g.
$ ps ax | grep sshd
25092 ?? S 0:05.52 sshd: djm at ttyp0,ttyp1,ttyp2 (sshd)
...
So killing the connection is just a matter of killing that user's
processes. Afterwards, the account can be locked using standard system
account maintenance tools - sshd honours locked passwords (either via
PAM or by directly inspecting the passwords lock string).
Your second example could be done similarly to the above case, with a
little indirection though the existing 'w' or 'who' tools, or
the
system logs to find out the source address.
Your third example is something that could be handled via PAM if your
system supports it (most do). E.g.
http://www.linux-pam.org/Linux-PAM-html/sag-pam_time.html -- we do
support some authentication restrictions in sshd_config, but we can't
cover everything...
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-02 00:42 UTC
[Bug 2499] It would be nice to have a tool to manage ssh connections
https://bugzilla.mindrot.org/show_bug.cgi?id=2499
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.