Who Is Connected? Monitor AFP SSH Status

Who is connected? (v1.03)

is a small (1.1Mb) unobtrusive menu bar app which monitors the status
of Apple File Sharing (AFP) and Remote Login (SSH) for Mac OS X.

Who is connected? shows both the status of AFP & SSH ( i.e. whether they are enabled or not in System Preferences ) and if users are connected to your Mac, all via a simple icon ( ) in the Mac OS X menu bar. In addition the user is notified of new SSH connections via Growl.

Features:
- Shows status of Apple File Sharing (AFP) in menu bar
- Shows when users are connected via Apple File Sharing (AFP) in menu bar
- Shows status of Remote Login (SSH) in menu bar
- Shows when users are connected via Remote Login (SSH)
- Notifies user of new SSH connections via Growl Notification Framework
- Enables user to check last log entry via Growl Notification Framework
- Enables user to set a custom SSH port for monitoring incoming connections
- Enables user to kill all existing SSH connections*
- Provides quick access to file sharing preferences pane

*Note: Disabling Remote Login in System Prefrences does not disconnect pre-existing tunnels.

System Requirements:
- Requires Mac OS X 10.5 or later - Intel only
Note: If you're still on a PPC processor click here for v1.01
- Growl

Download: Who Is Connected?.dmg 1.2Mb

License:
Hurray! Who Is Connected? is freeware : )
Having benefitted from so many people who have made their software freely available in the past and as a thank you and contribution to the wider Mac community, we are pleased to say that Who Is Connected? is free!

Please note that this means Who Is Connected? is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; and without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. (Sorry about the capitals, I think it's for dramatic effect.) The full license agreement is available here.

If you like Who Is Connected? or if you come across a problem, then please let us know. But please remember, as Who Is Connected? is free, we can't guarantee to fix it. Developing for the Mac is just something we do for fun in the little free time we have, so please bear with us if there's a delay in responding.

Known bugs and limitations:
- The About menu does not work under Tiger
- Who Is Connected? doesn't do everything that it says on the tin (yet). Who Is Connected? shows you the status of AFP & SSH and tells you that someone is connected. In addition it notifies you of new SSH connections and gives the IP addres and login name of the user. However, it doesn't list individual connections at a given point in time. Sorry, it almost does what it says on the tin, and it may well do one day, but not quite yet. However, we stil thought it was a nifty little app as it stands and that it might be useful to someone.

Installation, uninstall and launch on login:
Make sure you're running Mac OS X 10.4.4 or above and and have a working copy of Growl installed.

Once the file has downloaded and you've opened the .dmg, simply drag Who Is Connected? into your application folder and double click it to launch. Yes installation is that easy... Thanks Apple!

To uninstall, simply drag the Who Is Connected.app to your trash can.

You can also set Who Is Connected? to launch automatically on login by adding Who Is Connected? to your login items via System Preferences > Accounts.

Instructions:
Who Is Connected? is fairly self explanatory. Simply launch the app and it will run quietly in your Mac OS X menu bar.

Menu Bar Icons:
The menu bar icon will change dependent on the status of the options you chose in the sharing pane of System Preferences and whether or not you have active AFP or SSH connections.

In essence, an F wil appear in the menu bar icon if you enable Apple File Sharing (AFP) and an S will appear if you enable Remote Login (SSH) access. Each will turn blue (F, S) as soon as there are active connections. For a full list of different menu bar icon states, see the below table:

Icon		Description
		Who Is Connected has launched. AFP & SSH are disabled in System Preferences.
		AFP is enabled in System Preferences. SSH is disabled.
		SSH is enabled in System Preferences. AFP is disabled.
		AFP & SSH are enabled in System Preferences but there are no active connections.
		AFP is enabled in System Preferences and has connected users.
		SSH has an active tunnel connection**
		AFP is enabled. There are no active connections. SSH has an active tunnel connection.
		SSH is enabled in System Preferences. AFP is enabled and there are connected users.
		SSH & AFP have active connections.

**Note: Where pre-existing tunnels exist, SSH users may still be connected to your computer even if you disable Remote Login to your Mac in System Preferences. You must use the SSH: Kill all connections menu command to disconnect users if Remote Login is disabled but active tunnels still exist.

SSH Logger:
If a successful login attempt is made via SSH, the user is immediately notified of the event via the Growl notification framework, the appearance of which is set via the Growl prefs pane in System Preferences.

		The SSH Logger function informs you of the: - date and time of login - method (i.e. public key or password) - user account used for login - source IP address and port number - ssh protocol

		The source of this data is the in-built Mac OS X /private/var/log/secure.log. The full log can be retrieved by choosing: SSH: Open secure.log in console from the Who Is Connected? menu. In a similar way, the last SSH event can also be quickly retrieved by choosing: SSH: Check last log entry

SSH: Kill all connections:
This menu function issues a 'sudo killall sshd' command and requires Administrative privileges to run. The command kills all SSHD processes and attempts to disconnect all existing users. (We included this menu option as we noted that disabling Remote Login in System Preferences leaves pre-existing tunnels connected. This behaviour is contrary to Apple File Sharing where simply disabling AFP in System Preferences disconnects users immediately.)

No warning is given to remote users when this command is issued and they will usually be instantly disconnected from your machine.

I say usually... the user may not be instantly disconnected where either your server is configured to keep-alive the connection or where they have set up an SSH tunnel using various methods to ensure the tunnel remains open e.g. to prevent having to reconnect based on server time outs or the TCP connection hanging for example.

In these cases, you should first disable Remote Login in the File Sharing Preferences pane, before issuing the Kill All Connections command. If after a few seconds you still see an active tunnel () in the menu bar, just issue the SSH: kill all connections command again.

Preferences:

Custom SSH Port Numbers:
Who Is Connected? can monitor custom SSH ports. The default port is 22. Simply change the port number in the preferences to match your a custom port number. Any change will take effect immediately.

who is connected? preferences screenshot

Secure.log file access:
Under Tiger, the secure.log file is owned by the system and is not normally accessible to even Admin users without authentication. (The default permissions set is: -rw-------.) Under Leopard, Apple relaxed permissions on the secure.log to enable read only permissions to include Admin users by default (-rw-r-----).

Who Is Connected? requires access to the secure.log in order to notify the user of new SSH connections. Without unhindered read-only access, it would require authentication every few seconds to read data from the log.

As such, if access is unavailable, i.e. the user who has launched Who Is Connected? does not have the required privileges to read the log file, Who Is Connected? will notify the user and disable the SSH Logger function until such a time that access becomes available. Who Is Connected? will continue to monitor new connections via the menu bar status icon, but Growl notifications will be unavailable.

You will be affected if you use an admin user account in Tiger or a standard user account in Leopard or Tiger. We've tried to make it as simple as possible in order to change permissions and enable read-only access to the log file. Simply open up Who Is Connected? preferences and hit Go... in the relevant box.

Setting access to secure.log for admin users will enable read-only access to the secure.log for all admin users, i.e. the factory default setting in Leopard (-rw-r-----).

Setting access to secure.log for all users will enable read-only access to the secure.log for all users (-rw-r--r--).

Note: Authentication will be required when running either of these two commands.

Thanks & Attribution:
There are a number of acknowledgements due to people who have taken time to share their experience and snippets of code on the web, without whom this project would have taken much longer to get off the ground.

We'd like to firstly thank Vincent Gable of http://vincentgable.com for both his hints and pointers on the use of NSTask in Cocoa and his generous alloc of time in debugging a memory leak in Who Is Connected? along with helping us to gain a better understanding of Cocoa memory management.

In addition, credit where credit is due, the Who Is Connected? preferences window owes it's class to Dave Batton of http://www.Mere-Mortal-Software.com/ and the authentication function to run as sudo to Brian Dunagan http://www.bdunagan.com/.

It goes without saying that notification without Growl is no notification at all. Which leaves me finally with Google! We couldn't have found any of the above without you! Thanks guys!