Identify multiple users doing reverse port FWD with their pubkeys

Philipp Marek philipp at marek.priv.at
Wed Feb 12 18:46:18 AEDT 2020


>> When I connect to the server, I would like to know which pubkey as
>> open which reverse port.
See the man page of authorized_keys, and specifically the
"environment" there:

     environment="ID=user1" ssh-rsa ...

Also I guess you'd use "command=", and perhaps "restrict" or so.


> The auth happens when the device opens the SSH connection, and if your
> logging verbosity is high enough, the pubkey's fingerprint will be
> written to the log. If you really need to identify *the pubkey*, you'll
> have to grab the PID of the sshd process holding the reverse port (can
> be gleaned from the output of "{netstat,ss} -natp") and then search
> through the logs for the lines of when it got started.
An unpriviledged user can't filehandles of other users.
And grepping through logs isn't allowed for normal users as well -
especially not the authentication logs...


> Whereas the *IP* of the device in question can be read on demand from
> the same netstat/ss output, just look for the incoming SSH connection
> held by the same PID ...
No. Just no. ;)
Look at $SSH_CLIENT and/or $SSH_CONNECTION for that kind of information.


More information about the openssh-unix-dev mailing list