RE: Thanks and Suggestions




Response to the response to suggestions 3 & 4. 1) In a way these functions are already security holes as anyone with access to the system with the forwards can access these ports and based on how they are presented in PS, they are relatively easy to locate. The program or option to ssh I suggest would be based on user access. A user could only see the details of forwards and tunnels created using his/her own username or a username for which he/she has a password. The root user would be able to see them all. 2) In most cases, the remote service will be password protected and in a unsecured system, this should always be the case.

Of course this brings up another suggestion, forwards that are per user limited.

Response to the response to my question. I would want the STDIN, STDOUT and STDERR for the remote command to be the same as if I ran it locally. Would changed the STDIN, STDOUT and STDERR of the local call command and not the remote command do what I want?

----------------------------------------
Date: Sat, 28 Feb 2009 03:28:18 -0800
Subject: Re: Thanks and Suggestions
From: robert.lanning@xxxxxxxxx
To: secureshell@xxxxxxxxxxxxxxxxx

I am not an OpenSSH developer...

On Fri, Feb 27, 2009 at 8:03 PM, Chris Mirchandani wrote:
3) Maybe this already exits, so maybe this is not a request. Would like an easy to use
command that lets us see all the forwards and tunnels on a computer. I should be
able to limit to one or multiple types, local, remote, dynamic, remote dynamic (if
my request is added), tunnels initiated locally and tunnels initiated remotely. Should
be options for all forwards only, all tunnels only everything and if you could use the
inclusive options and exclude ones you do not want in the list. It would be great if
I could set a specific log just for this and so that ever time thius changes it updates
that log with the change or all the connections with the changes highlighted. e.g.
added in front of each that was added and removed for those that were closed. No,
gSTM (http://sourceforge.net/projects/gstm/) is not an alternative for what I am suggesting.

I believe this would be a huge security information leak. And would
advise against
implementation.

4) Command that can show all ssh connections, remote and local.

If you need more than what "ps" or "netstat -anp", then I will refer
you to my answer to
suggestion 3.


Question

Is there a way to send a command via ssh that stays open even if the the ssh session
that created it closes? I have this figured out already, I think, but my problem is that my
ssh session does not close like it normally does after a command is run and completed.
So maybe my real question is, how do I do this and have the ssh session close after the
command is run? e.g. If I run the following command, I get output and the ssh command
closes. Of course the command I am running in this example, has an end, but the one I
want to use does not.

ssh -p 4731 root@localhost netstat -an | egrep "tcp.*:3731.*LISTEN"

However, if run one of the following commands, the remote command works, but am
not returned to the command prompt. I have to kill the ssh connection to be returned to
a prompt and the remote command stays running after I kill the initial connection, but
this does not help me in a script.

$ ssh -p 4731 root@localhost 'ssh -q -N -D 1873 -p 3731 sshd@localhost &'
$ ssh -p 4731 root@localhost ssh -q -N -f -D 1873 -p 3731 sshd@localhost

Btw, the fact that I am using localhost does not mean that all connections are to the
same computer. The ports are forwards. I know I can send the local command to the
background, but there is no need to keep it open, i want to to close like it does with
ssh -p 4731 root@localhost netstat -an | egrep "tcp.*:3731.*LISTEN".

OpenSSH will close its connection, when no-one else has the terminal/pipe open.
This means more than just backgrounding the job. ("&")

You must redirect STDIN, STDOUT and STDERR to somewhere else and background
the job.

$ date
Sat Feb 28 03:18:38 PST 2009
$ ssh joe@xxxxxxxxxxx "sleep 1000 < /dev/null> /dev/null 2>&1 &"
$ date
Sat Feb 28 03:18:41 PST 2009

So, with that, I redirected STDIN ("< /dev/null") and STDOUT (">
/dev/null") then
made STDERR (2) go to the same place as STDOUT (1) ("2>&1"). Then the whole
command gets backgrounded ("&").

--
And, did Galoka think the Ulus were too ugly to save?
-Centauri
_________________________________________________________________
Windows Live™ Contacts: Organize your contact list.
http://windowslive.com/connect/post/marcusatmicrosoft.spaces.live.com-Blog-cns!503D1D86EBB2B53C!2285.entry?ocid=TXT_TAGLM_WL_UGC_Contacts_032009


Relevant Pages

  • Re: pb with remote command cleanup
    ... Keepalives enable me to kill connection sooner or later but doesn't guarantee any remote command destruction and that is the real problem: if a user launch, using ssh, a remote process that is CPU intensive and then kill his terminal, the CPU intensive task is still running on the remote side despite the lost of the connection. ... do you know the way to ask for this kind of improvement in openSSH? ...
    (comp.security.ssh)
  • Re: pb with remote command cleanup
    ... worrying about the remaining command that is still running on the remote ... side after connection lost. ... Keepalives enable me to kill connection sooner or later but doesn't ...
    (comp.security.ssh)
  • Re: pb with remote command cleanup
    ... worrying about the remaining command that is still running on the remote ... side after connection lost. ... running on the remote side despite the lost of the connection. ...
    (comp.security.ssh)
  • Re: pb with remote command cleanup
    ... I'm worrying about the remaining command that is still running on the remote side after connection lost. ... Keepalives enable me to kill connection sooner or later but doesn't guarantee any remote command destruction and that is the real problem: if a user launch, using ssh, a remote process that is CPU intensive and then kill his terminal, the CPU intensive task is still running on the remote side despite the lost of the connection. ...
    (comp.security.ssh)
  • Re: pb with remote command cleanup
    ... worrying about the remaining command that is still running on the remote side after connection lost. ... Keepalives enable me to kill connection sooner or later but doesn't guarantee any remote command destruction and that is the real problem: if a user launch, using ssh, a remote process that is CPU intensive and then kill his terminal, the CPU intensive task is still running on the remote side despite the lost of the connection. ...
    (comp.security.ssh)