2499 – It would be nice to have a tool to manage ssh connections

Bug 2499 - It would be nice to have a tool to manage ssh connections

Summary: It would be nice to have a tool to manage ssh connections

Status:	CLOSED WONTFIX

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	7.1p1
Hardware:	All All

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-11-19 07:07 AEDT by Renich Bon Ciric
Modified:	2016-08-02 10:42 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renich Bon Ciric 2015-11-19 07:07:26 AEDT

A tool for managing ssh connections is needed.

For example, when you have a user compromised and wish to kill a certain connection and not the user.

Example case: postgres

Let's say you enable ssh login for postgres; key based. For some reason, the user gets compomised and you end up with somebody connecting from outside, using the postgres user.

You don't want to kill the user because the DBs are running on it; just close the intruder's connection and disable ssh for the postgres user.

Example: shared root

Sometimes, several users have ssh access to a server. You might want to kill a connection just because that user is not supposed to be logged in at that time; while blocking his IP.

In this case, you don't want to pkill the root user. You just want to close that particular ssh connection and have the user explain what was he/she doing at the time.

Example: timed connections

It would be cool to allow ssh connections at certain dates and hours. A user might need to connect only during work hours. Disallowing connections after that would be awesome.

In any case, a connection management tool could be very useful.

Comment 1 Damien Miller 2015-12-11 14:41:09 AEDT

We don't plan on offering any connection management tool - generally we'd like to make the existing unix toolset do this job. Mostly, it does.

For your first example, you can kill ssh session by user by looking at the process list. Active session list the username, e.g.

$ ps ax | grep sshd
25092 ??  S       0:05.52 sshd: djm@ttyp0,ttyp1,ttyp2 (sshd)
...

So killing the connection is just a matter of killing that user's processes. Afterwards, the account can be locked using standard system account maintenance tools - sshd honours locked passwords (either via PAM or by directly inspecting the passwords lock string).

Your second example could be done similarly to the above case, with a little indirection though the existing 'w' or 'who' tools, or the system logs to find out the source address.

Your third example is something that could be handled via PAM if your system supports it (most do). E.g. http://www.linux-pam.org/Linux-PAM-html/sag-pam_time.html -- we do support some authentication restrictions in sshd_config, but we can't cover everything...

Comment 2 Damien Miller 2016-08-02 10:42:44 AEST

Close all resolved bugs after 7.3p1 release