You can try some different options to
ps to see better what is going on:
Code:
# ps axjf | grep [s]shd
1 1114 1114 1114 ? -1 Ss 0 0:03 /usr/sbin/sshd -D
1114 28948 28948 28948 ? -1 Ss 0 0:00 \_ sshd: tc [priv]
28948 28950 28948 28948 ? -1 S 1001 0:00 \_ sshd: tc@pts/7
Basically you are seeing some of the pieces resulting from OpenSSH's
privilege separation.
First you have a privileged process which listens on port 22. This sticks around as long as the SSH server is listening. In my example that would be PID 1114
Then you add another privileged process to monitor a new connection. This sticks around until the login fails or, if the login succeeds, until you end the session. That is 28948 in my example above.
During the login, the privileged monitor process spawns an unprivileged process as user "sshd" to handle the authentication. This only sticks around until the login fails or succeeds. That probably would have been PID 28949 in my example, but as you see whatever its number it is gone and the login succeeded.
Then, if the login succeeds, the privileged monitor spawns a child process under the login user's id to handle the actual session. That would be 28950 in my example.
In addition to the concept of "privilege separation", see also the related concept of "least privilege"