socketssshopensshsshd

Identify incoming SSHD processes by forwarded socket file


I have a Docker container running SSHD which receives SSH connections from multiple remote machines. I need to identify and terminate the connection coming from one particular machine.

The connections:

What I know:

What I've tried so far:


Solution

  • Found the solution: lsof can tell you which processes have a given socket file open. However, Docker, by default, restricts containers such that processes inside the container cannot read /proc/${PID}/fd/${FD_NUM}, even if the process trying to do the reading is running as root, which is why lsof couldn't tell what processes had what files opened.

    Running the SSHD container with --cap-add=SYS_PTRACE tells Docker not to block such operations, allowing lsof to work correctly.

    More specifically: lsof -t "${SOCKET_FILE}" will return a list of PIDs which have the given socket file open.