LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-12-2017, 09:30 AM   #1
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 761

Rep: Reputation: Disabled
What are all these ssh processes all about?


Hello, Trying to understand what these ssh processes are all about. The machine in question is located in my garage. There should only be one ssh connection (me ssh'ing into it from my office). What are the others about? EDIT. Also, why do the number of processes magically change? Thank you
Code:
[Michael@devserver ~]$ ps aux | grep ssh
root      2781  0.0  0.0  66260  1196 ?        Ss   May04   1:01 /usr/sbin/sshd
root     12063  0.0  0.0 102164  4380 ?        Ss   May11   0:00 sshd: Michael [priv]
Michael  12091  0.0  0.0 102164  2020 ?        S    May11   0:00 sshd: Michael@pts/0
root     14620  0.0  0.0 102156  4080 ?        Ss   06:18   0:00 sshd: Michael [priv]
Michael  14632  0.0  0.0 102156  1976 ?        S    06:18   0:00 sshd: Michael
Michael  15180  0.0  0.0 103336   856 pts/0    S+   06:24   0:00 grep ssh
[Michael@devserver ~]$ ps aux | grep ssh
root      2781  0.0  0.0  66260  1196 ?        Ss   May04   1:01 /usr/sbin/sshd
root     12063  0.0  0.0 102164  4380 ?        Ss   May11   0:00 sshd: Michael [priv]
Michael  12091  0.0  0.0 102164  2020 ?        S    May11   0:00 sshd: Michael@pts/0
root     14620  0.0  0.0 102156  4080 ?        Ss   06:18   0:00 sshd: Michael [priv]
Michael  14632  0.0  0.0 102156  1976 ?        S    06:18   0:00 sshd: Michael
root     15202  0.0  0.0 100764  3912 ?        Ss   06:24   0:00 sshd: root [priv]
sshd     15203  0.0  0.0  67604  1696 ?        S    06:24   0:00 sshd: root [net]
root     15208  0.0  0.0  67604  3208 ?        Ss   06:24   0:00 sshd: [accepted]
sshd     15209  0.0  0.0  67604  1416 ?        S    06:24   0:00 sshd: [net]
Michael  15211  0.0  0.0 103336   856 pts/0    S+   06:24   0:00 grep ssh
[Michael@devserver ~]$

Last edited by NotionCommotion; 05-12-2017 at 09:46 AM.
 
Old 05-12-2017, 10:36 AM   #2
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
ps isn't great for telling what is an actual logged in user, I'd get the output of "w"

Code:
# w
 15:29:18 up 17 days, 55 min,  2 users,  load average: 0.00, 0.02, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
support  tty1                      25Apr17 16days  0.01s  0.01s -bash
support  pts/0    *.*.*.*          12:24    6.00s  0.05s  0.16s sshd: support [priv]
# ps aux | grep ssh
root       967  0.0  0.0  82560  3608 ?        Ss   Apr25   0:46 /usr/sbin/sshd -D
root     26748  0.0  0.1 145516  5868 ?        Ss   12:24   0:00 sshd: support [priv]
support  26750  0.0  0.0 145648  2380 ?        S    12:24   0:00 sshd: support@pts/0
root     29351  0.4  0.1 140240  5132 ?        Ss   15:29   0:00 sshd: root [priv]
sshd     29352  0.0  0.0  81808  2188 ?        S    15:29   0:00 sshd: root [net]
root     29354  0.0  0.0 112652   972 pts/0    S+   15:29   0:00 grep --color=auto ssh
Anyways, I believe a part of what you are seeing is due to "Privilege Separation" of SSH, where there is at least 2 processes per connection. So you have a privileged connection running as root and then the actual user connection (the one on a PTS: support@pts/0) which is unprivileged and runs as the intended user.

Last edited by r3sistance; 05-12-2017 at 10:41 AM.
 
2 members found this post helpful.
Old 05-12-2017, 12:08 PM   #3
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 761

Original Poster
Rep: Reputation: Disabled
Thanks r3sistance,

Glad I didn't have a bunch of hackers logged onto my server!
 
Old 05-12-2017, 01:15 PM   #4
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,424
Blog Entries: 3

Rep: Reputation: 2201Reputation: 2201Reputation: 2201Reputation: 2201Reputation: 2201Reputation: 2201Reputation: 2201Reputation: 2201Reputation: 2201Reputation: 2201Reputation: 2201
You can try some different options to ps to see better what is going on:

Code:
# ps axjf | grep [s]shd
    1  1114  1114  1114 ?           -1 Ss       0   0:03 /usr/sbin/sshd -D
 1114 28948 28948 28948 ?           -1 Ss       0   0:00  \_ sshd: tc [priv]   
28948 28950 28948 28948 ?           -1 S     1001   0:00      \_ sshd: tc@pts/7
Basically you are seeing some of the pieces resulting from OpenSSH's privilege separation.

First you have a privileged process which listens on port 22. This sticks around as long as the SSH server is listening. In my example that would be PID 1114

Then you add another privileged process to monitor a new connection. This sticks around until the login fails or, if the login succeeds, until you end the session. That is 28948 in my example above.

During the login, the privileged monitor process spawns an unprivileged process as user "sshd" to handle the authentication. This only sticks around until the login fails or succeeds. That probably would have been PID 28949 in my example, but as you see whatever its number it is gone and the login succeeded.

Then, if the login succeeds, the privileged monitor spawns a child process under the login user's id to handle the actual session. That would be 28950 in my example.

In addition to the concept of "privilege separation", see also the related concept of "least privilege"

Last edited by Turbocapitalist; 05-12-2017 at 01:24 PM.
 
1 members found this post helpful.
Old 05-12-2017, 02:01 PM   #5
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 761

Original Poster
Rep: Reputation: Disabled
Thanks for the explanation Turbocapitalist, Note that I have a few more processes going on. Just on a hunch, I stopped samba, and it looks like it was responsible for two of the processes. Still have one more, but at least I know what causes it.

Code:
[Michael@devserver ~]$ ps axjf | grep [s]shd
    1  2781  2781  2781 ?           -1 Ss       0   1:03 /usr/sbin/sshd
 2781 14620 14620 14620 ?           -1 Ss       0   0:00  \_ sshd: Michael [priv]
14620 14632 14620 14620 ?           -1 S      500   0:00  |   \_ sshd: Michael
 2781  8371  8371  8371 ?           -1 Ss       0   0:00  \_ sshd: Michael [priv]
 8371  8380  8371  8371 ?           -1 S      500   0:00  |   \_ sshd: Michael@pts/0
 2781  8410  8410  8410 ?           -1 Ss       0   0:00  \_ sshd: root [priv]
 8410  8411  8410  8410 ?           -1 S       74   0:00  |   \_ sshd: root [net]
 2781  8417  8417  8417 ?           -1 Ss       0   0:00  \_ sshd: root [priv]
 8417  8418  8417  8417 ?           -1 S       74   0:00  |   \_ sshd: root [net]
 2781  8419  8419  8419 ?           -1 Ss       0   0:00  \_ sshd: [accepted]
 8419  8420  8419  8419 ?           -1 S       74   0:00  |   \_ sshd: [net]
 2781  8421  8421  8421 ?           -1 Ss       0   0:00  \_ sshd: [accepted]
 8421  8422  8421  8421 ?           -1 S       74   0:00      \_ sshd: [net]
[Michael@devserver ~]$ sudo /etc/init.d/smb stop
[sudo] password for Michael:
Shutting down SMB services:                                [  OK  ]
[Michael@devserver ~]$ sudo /etc/init.d/nmb stop
Shutting down NMB services:                                [  OK  ]
[Michael@devserver ~]$ ps axjf | grep [s]shd
    1  2781  2781  2781 ?           -1 Ss       0   1:03 /usr/sbin/sshd
 2781 14620 14620 14620 ?           -1 Ss       0   0:00  \_ sshd: Michael [priv]
14620 14632 14620 14620 ?           -1 S      500   0:00  |   \_ sshd: Michael
 2781  8371  8371  8371 ?           -1 Ss       0   0:00  \_ sshd: Michael [priv]
 8371  8380  8371  8371 ?           -1 S      500   0:00  |   \_ sshd: Michael@pts/0
 2781  8757  8757  8757 ?           -1 Ss       0   0:00  \_ sshd: root [priv]
 8757  8758  8757  8757 ?           -1 S       74   0:00      \_ sshd: root [net]
[Michael@devserver ~]$
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to kill processes using ssh remotely rajaniyer123 Solaris / OpenSolaris 3 04-13-2008 02:22 AM
ssh persistent processes c0uchm0nster Linux - Software 12 08-10-2007 08:04 PM
[ssh] start processes grip82 Linux - Networking 2 08-30-2006 09:28 AM
[bash] killing processes using ssh Erhnam Programming 13 02-01-2005 12:56 AM
SSH and processes Paiway Linux - Networking 1 12-16-2004 02:43 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 09:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration