LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   What are all these ssh processes all about? (https://www.linuxquestions.org/questions/linux-newbie-8/what-are-all-these-ssh-processes-all-about-4175605776/)

NotionCommotion 05-12-2017 08:30 AM
What are all these ssh processes all about?
 
Hello, Trying to understand what these ssh processes are all about. The machine in question is located in my garage. There should only be one ssh connection (me ssh'ing into it from my office). What are the others about? EDIT. Also, why do the number of processes magically change? Thank you
Code:
[Michael@devserver ~]$ ps aux | grep ssh
root      2781  0.0  0.0  66260  1196 ?        Ss  May04  1:01 /usr/sbin/sshd
root    12063  0.0  0.0 102164  4380 ?        Ss  May11  0:00 sshd: Michael [priv]
Michael  12091  0.0  0.0 102164  2020 ?        S    May11  0:00 sshd: Michael@pts/0
root    14620  0.0  0.0 102156  4080 ?        Ss  06:18  0:00 sshd: Michael [priv]
Michael  14632  0.0  0.0 102156  1976 ?        S    06:18  0:00 sshd: Michael
Michael  15180  0.0  0.0 103336  856 pts/0    S+  06:24  0:00 grep ssh
[Michael@devserver ~]$ ps aux | grep ssh
root      2781  0.0  0.0  66260  1196 ?        Ss  May04  1:01 /usr/sbin/sshd
root    12063  0.0  0.0 102164  4380 ?        Ss  May11  0:00 sshd: Michael [priv]
Michael  12091  0.0  0.0 102164  2020 ?        S    May11  0:00 sshd: Michael@pts/0
root    14620  0.0  0.0 102156  4080 ?        Ss  06:18  0:00 sshd: Michael [priv]
Michael  14632  0.0  0.0 102156  1976 ?        S    06:18  0:00 sshd: Michael
root    15202  0.0  0.0 100764  3912 ?        Ss  06:24  0:00 sshd: root [priv]
sshd    15203  0.0  0.0  67604  1696 ?        S    06:24  0:00 sshd: root [net]
root    15208  0.0  0.0  67604  3208 ?        Ss  06:24  0:00 sshd: [accepted]
sshd    15209  0.0  0.0  67604  1416 ?        S    06:24  0:00 sshd: [net]
Michael  15211  0.0  0.0 103336  856 pts/0    S+  06:24  0:00 grep ssh
[Michael@devserver ~]$

r3sistance 05-12-2017 09:36 AM
ps isn't great for telling what is an actual logged in user, I'd get the output of "w"

Code:
# w
 15:29:18 up 17 days, 55 min,  2 users,  load average: 0.00, 0.02, 0.05
USER    TTY      FROM            LOGIN@  IDLE  JCPU  PCPU WHAT
support  tty1                      25Apr17 16days  0.01s  0.01s -bash
support  pts/0    *.*.*.*          12:24    6.00s  0.05s  0.16s sshd: support [priv]
# ps aux | grep ssh
root      967  0.0  0.0  82560  3608 ?        Ss  Apr25  0:46 /usr/sbin/sshd -D
root    26748  0.0  0.1 145516  5868 ?        Ss  12:24  0:00 sshd: support [priv]
support  26750  0.0  0.0 145648  2380 ?        S    12:24  0:00 sshd: support@pts/0
root    29351  0.4  0.1 140240  5132 ?        Ss  15:29  0:00 sshd: root [priv]
sshd    29352  0.0  0.0  81808  2188 ?        S    15:29  0:00 sshd: root [net]
root    29354  0.0  0.0 112652  972 pts/0    S+  15:29  0:00 grep --color=auto ssh
Anyways, I believe a part of what you are seeing is due to "Privilege Separation" of SSH, where there is at least 2 processes per connection. So you have a privileged connection running as root and then the actual user connection (the one on a PTS: support@pts/0) which is unprivileged and runs as the intended user.

NotionCommotion 05-12-2017 11:08 AM
Thanks r3sistance,

Glad I didn't have a bunch of hackers logged onto my server!

Turbocapitalist 05-12-2017 12:15 PM
You can try some different options to ps to see better what is going on:

Code:
# ps axjf | grep [s]shd
    1  1114  1114  1114 ?          -1 Ss      0  0:03 /usr/sbin/sshd -D
 1114 28948 28948 28948 ?          -1 Ss      0  0:00  \_ sshd: tc [priv] 
28948 28950 28948 28948 ?          -1 S    1001  0:00      \_ sshd: tc@pts/7
Basically you are seeing some of the pieces resulting from OpenSSH's privilege separation.

First you have a privileged process which listens on port 22. This sticks around as long as the SSH server is listening. In my example that would be PID 1114

Then you add another privileged process to monitor a new connection. This sticks around until the login fails or, if the login succeeds, until you end the session. That is 28948 in my example above.

During the login, the privileged monitor process spawns an unprivileged process as user "sshd" to handle the authentication. This only sticks around until the login fails or succeeds. That probably would have been PID 28949 in my example, but as you see whatever its number it is gone and the login succeeded.

Then, if the login succeeds, the privileged monitor spawns a child process under the login user's id to handle the actual session. That would be 28950 in my example.

In addition to the concept of "privilege separation", see also the related concept of "least privilege"

NotionCommotion 05-12-2017 01:01 PM
Thanks for the explanation Turbocapitalist, Note that I have a few more processes going on. Just on a hunch, I stopped samba, and it looks like it was responsible for two of the processes. Still have one more, but at least I know what causes it.

Code:
[Michael@devserver ~]$ ps axjf | grep [s]shd
    1  2781  2781  2781 ?          -1 Ss      0  1:03 /usr/sbin/sshd
 2781 14620 14620 14620 ?          -1 Ss      0  0:00  \_ sshd: Michael [priv]
14620 14632 14620 14620 ?          -1 S      500  0:00  |  \_ sshd: Michael
 2781  8371  8371  8371 ?          -1 Ss      0  0:00  \_ sshd: Michael [priv]
 8371  8380  8371  8371 ?          -1 S      500  0:00  |  \_ sshd: Michael@pts/0
 2781  8410  8410  8410 ?          -1 Ss      0  0:00  \_ sshd: root [priv]
 8410  8411  8410  8410 ?          -1 S      74  0:00  |  \_ sshd: root [net]
 2781  8417  8417  8417 ?          -1 Ss      0  0:00  \_ sshd: root [priv]
 8417  8418  8417  8417 ?          -1 S      74  0:00  |  \_ sshd: root [net]
 2781  8419  8419  8419 ?          -1 Ss      0  0:00  \_ sshd: [accepted]
 8419  8420  8419  8419 ?          -1 S      74  0:00  |  \_ sshd: [net]
 2781  8421  8421  8421 ?          -1 Ss      0  0:00  \_ sshd: [accepted]
 8421  8422  8421  8421 ?          -1 S      74  0:00      \_ sshd: [net]
[Michael@devserver ~]$ sudo /etc/init.d/smb stop
[sudo] password for Michael:
Shutting down SMB services:                                [  OK  ]
[Michael@devserver ~]$ sudo /etc/init.d/nmb stop
Shutting down NMB services:                                [  OK  ]
[Michael@devserver ~]$ ps axjf | grep [s]shd
    1  2781  2781  2781 ?          -1 Ss      0  1:03 /usr/sbin/sshd
 2781 14620 14620 14620 ?          -1 Ss      0  0:00  \_ sshd: Michael [priv]
14620 14632 14620 14620 ?          -1 S      500  0:00  |  \_ sshd: Michael
 2781  8371  8371  8371 ?          -1 Ss      0  0:00  \_ sshd: Michael [priv]
 8371  8380  8371  8371 ?          -1 S      500  0:00  |  \_ sshd: Michael@pts/0
 2781  8757  8757  8757 ?          -1 Ss      0  0:00  \_ sshd: root [priv]
 8757  8758  8757  8757 ?          -1 S      74  0:00      \_ sshd: root [net]
[Michael@devserver ~]$


All times are GMT -5. The time now is 05:38 PM.