Paul de Weerd wrote:
You could check for the presence of forwarded TCP sessions with fstat,
an exmaple looks like this :
weerd sshd 29016 11* internet stream tcp 0x40009ab33d0 127.0.0.1:44410
--> 127.0.0.1:3128
If you open an ssh session to a remote machine with a forwarded port,
then open the forwarded port and once the connection over the
forwarded port has been established ^D the initial session, you'll get
the behaviour you just described. The established TCP session over the
forwarded connection keeps the SSH session alive but the user is shown
as logged out (and no processes show other than the sshd's you
mentioned).
Now I am pretty sure that this is what we see here.
It also makes sense, since all those users sit on a tightly controlled
LAN; while that machine is 'further out'. So that restricted services
can be accessed through some tunneling.
Now: How to prevent it?? I have hundreds of users, who can log on from
hundreds of machines, and all need access to ssh, and easily 30 at the
same time.
So, filtering IP addresses is out, nologin is out, no ssh is out.
Of course, I can politely ask, but I would not necessarily trust it to
be followed. I'd much rather disallow it technically. At least, have an
easy access to the record (e.g. in 'last'). But since it doesn't require
logon, what to do? And how to prevent this??
Any suggestion appreciated,
Uwe