There seems to be some 'lingering' SSH connections on my server. How do I fix it?

Question

[root@server mike]# w
 14:43:35 up 83 days,  1:25,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
mike     pts/1    dsl-IP.w 14:43    0.00s  0.01s  0.03s sshd: mike [priv]

[root@server mike]# ps aux | grep ssh
root      1350  0.0  0.1   5276  1044 ?        Ss   Aug27   0:00 /usr/sbin/sshd
root     14328  0.0  0.2   8020  2580 ?        Ss   12:49   0:00 sshd: dave [priv]
dave   14332  0.0  0.1   8020  1532 ?        S    12:49   0:00 sshd: dave@notty
dave   14333  0.0  0.1   4696  1444 ?        Ss   12:49   0:00 /usr/lib/openssh/sftp-server
root     14344  0.0  0.2   8020  2580 ?        Ss   12:59   0:00 sshd: dave [priv]
dave   14347  0.0  0.1   8168  1564 ?        S    13:00   0:00 sshd: dave@notty
dave   14348  0.0  0.1   4700  1504 ?        Ss   13:00   0:00 /usr/lib/openssh/sftp-server
root     14351  0.0  0.2   8020  2580 ?        Ss   13:04   0:00 sshd: dave [priv]
dave   14355  0.0  0.1   8168  1560 ?        S    13:04   0:00 sshd: dave@notty
dave   14356  0.0  0.1   4696  1472 ?        Ss   13:04   0:00 /usr/lib/openssh/sftp-server
root     14373  0.0  0.2   8020  2584 ?        Ss   13:15   0:00 sshd: dave [priv]
dave   14377  0.0  0.1   8168  1560 ?        S    13:15   0:00 sshd: dave@notty
dave   14378  0.0  0.1   4704  1500 ?        Ss   13:15   0:00 /usr/lib/openssh/sftp-server
root     14385  0.0  0.2   8020  2584 ?        Ss   13:28   0:00 sshd: dave [priv]
dave   14389  0.0  0.1   8168  1592 ?        S    13:28   0:00 sshd: dave@notty
dave   14390  0.0  0.1   4696  1508 ?        Ss   13:28   0:00 /usr/lib/openssh/sftp-server
root     14392  0.0  0.2   8020  2588 ?        Ss   13:30   0:00 sshd: dave [priv]
dave   14396  0.0  0.1   8168  1604 ?        S    13:30   0:00 sshd: dave@notty
dave   14397  0.0  0.1   4696  1492 ?        Ss   13:30   0:00 /usr/lib/openssh/sftp-server
root     14402  0.0  0.2   8020  2584 ?        Ss   13:33   0:00 sshd: dave [priv]
dave   14406  0.0  0.1   8020  1536 ?        S    13:33   0:00 sshd: dave@notty
dave   14407  0.0  0.1   4696  1460 ?        Ss   13:33   0:00 /usr/lib/openssh/sftp-server
root     14428  0.0  0.2   8020  2584 ?        Ss   13:45   0:00 sshd: dave [priv]
dave   14432  0.0  0.1   8168  1580 ?        S    13:45   0:00 sshd: dave@notty
dave   14433  0.0  0.1   4704  1512 ?        Ss   13:45   0:00 /usr/lib/openssh/sftp-server
root     14439  0.0  0.2   8020  2580 ?        Ss   13:53   0:00 sshd: dave [priv]
dave   14443  0.0  0.1   8020  1532 ?        S    13:53   0:00 sshd: dave@notty
dave   14444  0.0  0.1   4696  1448 ?        Ss   13:53   0:00 /usr/lib/openssh/sftp-server
root     14480  0.0  0.2   8020  2584 ?        Ss   14:11   0:00 sshd: dave [priv]
dave   14484  0.0  0.1   8168  1588 ?        S    14:11   0:00 sshd: dave@notty
dave   14485  0.0  0.1   4704  1492 ?        Ss   14:11   0:00 /usr/lib/openssh/sftp-server
root     14487  0.0  0.2   8020  2580 ?        Ss   14:12   0:00 sshd: dave [priv]
dave   14490  0.0  0.1   8020  1552 ?        S    14:12   0:00 sshd: dave@notty
dave   14492  0.0  0.1   4696  1472 ?        Ss   14:12   0:00 /usr/lib/openssh/sftp-server
root     14510  0.0  0.2   8020  2584 ?        Ss   14:35   0:00 sshd: dave [priv]
dave   14514  0.0  0.1   8168  1568 ?        S    14:35   0:00 sshd: dave@notty
dave   14515  0.0  0.1   4700  1492 ?        Ss   14:35   0:00 /usr/lib/openssh/sftp-server
root     14517  0.0  0.2   8020  2580 ?        Ss   14:37   0:00 sshd: dave [priv]
dave   14521  0.0  0.1   8020  1548 ?        S    14:38   0:00 sshd: dave@notty
dave   14522  0.0  0.1   4696  1464 ?        Ss   14:38   0:00 /usr/lib/openssh/sftp-server
root     14538  0.0  0.2   8020  2620 ?        Ss   14:43   0:00 sshd: mike [priv]
mike     14542  0.0  0.1   8020  1560 ?        S    14:43   0:00 sshd: mike@pts/1
root     14554  0.0  0.0   1720   560 pts/1    S+   14:43   0:00 grep ssh

As you can see above, I, mike, am logged into SSH executing commands. This is shown from the w command.

However, there's an odd amount of SSH related processes currently running. I figured dave's sftp session might not show up in the output of w for whatever reason but that doesn't explain all the running processes...

What's wrong? :/

Answer 1

Have a look at the settings :

ClientAliveCountMax 3
ClientAliveInterval 15

in /etc/sysconfig/sshd_config. This will disconnect clients that don't respond to keep-alives. Adjust the values if they aren't aggressive enough, this means after 15 seconds we send a keep-alive. If no response is received for 3 keep-alives, we disconnect the client (45 seconds).

Answer 2

dave is doing something silly with his sftp client.

basically it is not closing or it is holding open the sftp session with keep alives indefinitely.

A single sftp login consists of the following processes:

root     14480  0.0  0.2   8020  2584 ?        Ss   14:11   0:00 sshd: dave [priv]
dave   14484  0.0  0.1   8168  1588 ?        S    14:11   0:00 sshd: dave@notty
dave   14485  0.0  0.1   4704  1492 ?        Ss   14:11   0:00 /usr/lib/openssh/sftp-server

You have the root owned process of sshd (this being the child of sshd itself), the dave owned process being dave's unprivileged connection and then the sftp-server spawn.

It all just looks like dave connected a stack of times or is using a threaded sftp client.

pkill as suggested already will allow you to trash all the sessions using say pkill sftp-server

Answer 3

There is a package called procps. It includes various useful (read as nifty) utilities. One of such utility is pkill which is responsible to send a signal to users and process such as:

• Halt user terminal
• Kill user and logout

http://linux.die.net/man/1/pkill

Answer 4

A sftp connection is downloading a file or several files using segmented downloads. My guess is that if you kill the sftp process all the sshd: dave@notty will disappear.