How to get the list of SSH tunnels connected with the username used?
The use of ssh -D
is not visible to the server. It is only once a socks client connects to the ssh client and request a connection, that the ssh client will ask the server for a forwarding.
Once a connection is fully established, it will be visible on the server. You can see it with netstat -ntp
.
It will obviously not be visible with netstat -lntp
on the server, because it does not involve any listening sockets.
On the client side running netstat -lntp
will show that ssh
is listening on the specified port.
Related videos on Youtube
randunel
Updated on September 18, 2022Comments
-
randunel almost 2 years
The connection is established from Desktop(D) to Server(S) with
ssh -D PORT username@Server
.From the Server, the list of ssh users connected can be obtained with
who
, but the ssh tunnels are not listed inwho
orw
. Also, withnetstat -lnpt | grep ssh
, the connected user is not listed.With other commands, such as
ps aux | grep ssh
orlsof -i -n | egrep '\<ssh\>'
, a lot more information is retrieved, looking as if more users were connected.Is there a (What is the) reliable way of getting the list of ssh tunnels with their respective users on S, ideally including the IP address of D?
-
Steve Townsend almost 10 years
ss -plt
gets you part of the way there.
-
-
randunel almost 10 yearsOh, good catch with the
-lntp
vs-ntp
oversight. So you are saying that once a socks client connects to the ssh client, it will be visible on the server how, withwho
? -
kasperd almost 10 years@randunel No. It will not be visible with the
who
command, but it will be visible with thenetstat -ntp
command. The socks client has to say where it wants to connect to first though, if client connects to the port on whichssh
is listening without saying where it wants to connect to, nothing will be visible on the server. -
randunel almost 10 yearsYou are correct, the connections are visible. But the information in
netstat -ntp
provides some hints regarding the user connected, but there are too many lines, it seems impossible to filter out the extra lines, so this does not answer my question. Same result would be obtained withlsof
, as stated in the question, too much information. -
randunel almost 10 years
netstat -ntp
is unreliable, again, because it truncates thePID/Program name
column to 19 chars for the whole information. Calling it with-W
does not help, since that widens other columns, not this one. I can't see the logged in user in the Program name part on some instances anyway :( so I cannot rely on it -
kasperd almost 10 years@randunel 19 columns is more than enough to get the pid. With the pid you can look up the rest using
ps
. Alternatively you can trylsof
, which can select sockets to display much more flexibly thannetstat
, plus it can display more information. -
Wilhelm Erasmus almost 5 yearsIs it possible to list local and remote ports and addresses on the local ssh client?