I have a Docker container running SSHD which receives SSH connections from multiple remote machines. I need to identify and terminate the connection coming from one particular machine.

The connections:

• Each incoming connection is from a different machine.
• Each incoming connection forwards a Unix socket file on the container to a TCP port on the remote machine. Each remote machine forwards a different container.
• Forwarding that one port is the only thing these connections do; they do not start an interactive session or run any commands.
• Every incoming connection logs in as the same user.
• Each remote machine has a different auth key which it uses to log in.
• The code which executes the SSH connection on the remote machines is under my control, so if there is some option I can pass to ssh or set in ssh_config which will make it easier to ID the connections, I have the option to do that.

What I know:

• I know the serial number of the machine whose connection I need to kill.
• I know which socket file that connection will be forwarding.
• I know which SSH auth key the connection will have logged in with.
• I do not know what IP address or hostname the connection will be coming from.

What I’ve tried so far:

• ps -aux will show me the SSHD processes for all the incoming connections. However, I cannot tell which incoming connection comes from which remote machine.
• If I could identify which process corresponded to which SSH auth key, that would suffice, but there’s no obvious way to even begin with that.
• The most promising option would seem to be identifying which process has the corresponding socket file open, but I haven’t been able to do that yet:
  • cat /proc/net/unix tells me which socket files are open, but not what processes each one is opened by
  • lsof is supposed to list which processes have which files open. However, when I tested it by running it when I had a single incoming connection:
    • The output did not list the socket file I knew to be open anywhere
    • The output for the SSHD processes in question (there were two of them, one running as root and the other as the log-in user) showed their only open files to be /proc/${PID}/cwd, /proc/${PID}/root, /proc/${PID}/exe, and 6-8 numbered files in /proc/${PID}/fd/