2

The connection is established from Desktop(D) to Server(S) with ssh -D PORT username@Server.

From the Server, the list of ssh users connected can be obtained with who, but the ssh tunnels are not listed in who or w. Also, with netstat -lnpt | grep ssh, the connected user is not listed.

With other commands, such as ps aux | grep ssh or lsof -i -n | egrep '\<ssh\>', a lot more information is retrieved, looking as if more users were connected.

Is there a (What is the) reliable way of getting the list of ssh tunnels with their respective users on S, ideally including the IP address of D?

randunel
  • 125
  • 1
  • 5

1 Answers1

1

The use of ssh -D is not visible to the server. It is only once a socks client connects to the ssh client and request a connection, that the ssh client will ask the server for a forwarding.

Once a connection is fully established, it will be visible on the server. You can see it with netstat -ntp.

It will obviously not be visible with netstat -lntp on the server, because it does not involve any listening sockets.

On the client side running netstat -lntp will show that ssh is listening on the specified port.

kasperd
  • 30,455
  • 17
  • 76
  • 124
  • Oh, good catch with the `-lntp` vs `-ntp` oversight. So you are saying that once a socks client connects to the ssh client, *it will be visible on the server* how, with `who`? – randunel Aug 27 '14 at 18:58
  • @randunel No. It will not be visible with the `who` command, but it will be visible with the `netstat -ntp` command. The socks client has to say where it wants to connect to first though, if client connects to the port on which `ssh` is listening without saying where it wants to connect to, nothing will be visible on the server. – kasperd Aug 27 '14 at 20:09
  • You are correct, the connections are visible. But the information in `netstat -ntp` provides some hints regarding the user connected, but there are too many lines, it seems impossible to filter out the extra lines, so this does not answer my question. Same result would be obtained with `lsof`, as stated in the question, too much information. – randunel Aug 27 '14 at 21:11
  • `netstat -ntp` is unreliable, again, because it truncates the `PID/Program name` column to 19 chars for the whole information. Calling it with `-W` does not help, since that widens other columns, not this one. I can't see the logged in user in the Program name part on some instances anyway :( so I cannot rely on it – randunel Aug 27 '14 at 21:26
  • @randunel 19 columns is more than enough to get the pid. With the pid you can look up the rest using `ps`. Alternatively you can try `lsof`, which can select sockets to display much more flexibly than `netstat`, plus it can display more information. – kasperd Aug 27 '14 at 21:37
  • Is it possible to list local and remote ports and addresses on the local ssh client? – Wilhelm Erasmus Aug 15 '19 at 07:36