Find the answer to your Linux question:
Results 1 to 6 of 6
In my continuing journey of learning more about linux security, I was delving deeper into disabling pseudo-tty allocation in ssh. Though a very useful command line option in certain instances, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2013
    Posts
    3

    tracking pseudo-tty-less SSH sessions in Linux?


    In my continuing journey of learning more about linux security, I was delving deeper into disabling pseudo-tty allocation in ssh. Though a very useful command line option in certain instances, I was alarmed to discover that a successful login using the -T option isn't logged into wtmp and, thus, a query using w would not detect someone logged in using the -T option -- despite the fact that they can still interactively run commands. Granted, there are things that you can't do without a terminal, such as sudo or su commands, but it is still a bit unnerving that I cannot detect anyone logged into the machine with pty disabled (though, thankfully, unsuccessful logins are still logged in btmp).

    Am I missing a way to determine a ptty-less ssh session? Is this logged somewhere that I'm unaware of or, perhaps, is there an option to enable logging?

    Thanks.

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,508
    What release+version+kernel are you running? There are other ways to see what/who is connected to the system, even if they don't have a pty, although disabling pseudo-tty allocation in ssh is not particularly useful, except possibly to start daemon processes (no tty required). In any case, ssh uses by default port 22, so you could use netstat to tell what processes have connected via that port, and then ps to tell what processes they spawned. You can also find information in /proc and /sys.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3
    Just Joined!
    Join Date
    Dec 2013
    Posts
    3
    Quote Originally Posted by Rubberman View Post
    What release+version+kernel are you running? There are other ways to see what/who is connected to the system, even if they don't have a pty, although disabling pseudo-tty allocation in ssh is not particularly useful, except possibly to start daemon processes (no tty required). In any case, ssh uses by default port 22, so you could use netstat to tell what processes have connected via that port, and then ps to tell what processes they spawned. You can also find information in /proc and /sys.
    Thank you, Rubberman, for the input.

    > What release+version+kernel are you running?

    Amazon Linux images that are Fedora/Redhat-based or Scientific Linux release 6.2 (Carbon) with kernel 2.6.32-358.23.2.el6.x86_64 #1 SMP

    > You can also find information in /proc and /sys.

    Could you be more specific?

  4. #4
    Linux Enthusiast
    Join Date
    Jan 2005
    Location
    Saint Paul, MN
    Posts
    636
    The "-t" option is very useful when having to connect to one or more boxes between you and the target as a single command can be used rather than having to connect to the next machine and then connect to the next machine, ...

    I make use of this on a daily basis doing my job.

    Code:
    Using:
       ssh userona@hosta -t ssh -p 3030 useronb@hostb -t ssh ueronc@hostc
    
    Rather than:
       ssh usera@hosta
       ssh -p 3030 userb@hostb
       ssh userc@hostc

  5. #5
    Just Joined!
    Join Date
    Dec 2013
    Posts
    3
    @alf55: thanks for the "-t" tip. Even though it is pretty obvious, i had never used it that way before for "cascading" ssh logins.

    Better yet, it also works with X11 forwarding. That will certainly make my life easier.

  6. #6
    Linux Enthusiast
    Join Date
    Jan 2005
    Location
    Saint Paul, MN
    Posts
    636
    In my case we goto "appliances" and we do not install any of the X libraries. I do include a tunnel to the destination's ports 22 (ssh) and 443 (https) and use gvim using the "scp://" protocol to the final target machine and access the appliance's web interface locally as well.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •