Reputation: 555
Identify incoming SSHD processes by forwarded socket file
I have a Docker container running SSHD which receives SSH connections from multiple remote machines. I need to identify and terminate the connection coming from one particular machine.
The connections:
- Each incoming connection is from a different machine.
- Each incoming connection forwards a Unix socket file on the container to a TCP port on the remote machine. Each remote machine forwards a different container.
- Forwarding that one port is the only thing these connections do; they do not start an interactive session or run any commands.
- Every incoming connection logs in as the same user.
- Each remote machine has a different auth key which it uses to log in.
- The code which executes the SSH connection on the remote machines is under my control, so if there is some option I can pass to
sshor set inssh_configwhich will make it easier to ID the connections, I have the option to do that.
What I know:
- I know the serial number of the machine whose connection I need to kill.
- I know which socket file that connection will be forwarding.
- I know which SSH auth key the connection will have logged in with.
- I do not know what IP address or hostname the connection will be coming from.
What I've tried so far:
ps -auxwill show me the SSHD processes for all the incoming connections. However, I cannot tell which incoming connection comes from which remote machine.- If I could identify which process corresponded to which SSH auth key, that would suffice, but there's no obvious way to even begin with that.
- The most promising option would seem to be identifying which process has the corresponding socket file open, but I haven't been able to do that yet:
cat /proc/net/unixtells me which socket files are open, but not what processes each one is opened bylsofis supposed to list which processes have which files open. However, when I tested it by running it when I had a single incoming connection:- The output did not list the socket file I knew to be open anywhere
- The output for the SSHD processes in question (there were two of them, one running as root and the other as the log-in user) showed their only open files to be
/proc/${PID}/cwd,/proc/${PID}/root,/proc/${PID}/exe, and 6-8 numbered files in/proc/${PID}/fd/
Upvotes: 0
Views: 57
Answers (1)
Reputation: 555
Found the solution: lsof can tell you which processes have a given socket file open. However, Docker, by default, restricts containers such that processes inside the container cannot read /proc/${PID}/fd/${FD_NUM}, even if the process trying to do the reading is running as root, which is why lsof couldn't tell what processes had what files opened.
Running the SSHD container with --cap-add=SYS_PTRACE tells Docker not to block such operations, allowing lsof to work correctly.
More specifically: lsof -t "${SOCKET_FILE}" will return a list of PIDs which have the given socket file open.
Upvotes: 0
Related Questions
- Setting up OpenSSH for Windows using public key authentication
- Shared SSH connection with Control Master not working
- How can i exit, stop, kill autossh if connection timed out, ip, port not exists or response without using ssh and sshd config files?
- How does the socket API accept() function work?
- access host's ssh tunnel from docker container
- Determine docker container of incoming request on Unix domain socket
- Is there a way for multiple processes to share a listening socket?
- Hundreds of Apache SSHD clients leave hundreds of OpenSSH daemon processes running