Hi, we are noticing 30 - 40 sshd pids on our hpux server. No one to my knowledge is logging in with ssh. All user log in through telnet. Here is a sample when I grep for sshd


$ ps -ef | grep sshd
root 814 1 0 May 25 ? 0:00 /opt/ssh/sbin/sshd
jhoward 3289 3281 0 16:11:13 ? 0:00 sshd: jhoward@pts/2
josephg 14729 14691 0 May 26 ? 0:07 sshd: josephg@notty
root 14461 814 0 May 26 ? 0:00 sshd: josephg [priv]
banks 11393 11383 0 May 26 ? 0:00 sshd: banks@notty
root 11383 814 0 May 26 ? 0:00 sshd: banks [priv]
josephg 14482 14461 0 May 26 ? 0:01 sshd: josephg@notty
root 14691 814 0 May 26 ? 0:00 sshd: josephg [priv]
root 24840 814 0 06:59:58 ? 0:00 sshd: banks [priv]
root 5882 814 0 May 26 ? 0:00 sshd: sheffer [priv]
jhoward 10005 9955 0 May 26 ? 0:00 sshd: jhoward@notty
bartok 11265 11254 0 09:04:24 ? 0:00 sshd: bartok@pts/13
sheffer 5845 5830 0 May 26 ? 0:00 sshd: sheffer@notty
banks 25239 24840 0 07:00:17 ? 0:04 sshd: banks@pts/0
josephg 28225 28200 0 08:24:17 ? 0:02 sshd: josephg@pts/10

We are concerned that this could be causing some problems with our main app. Any suggestions would be appreciated.

FIRST: Quit using telnet - it is a major security hole. You should be using ssh instead.

Having said that some ideas for investigation:
Is it possible the users are logging in via telnnet then doing ssh OUT to some other system?

Is it possible the users are doing scp or sftp file transfers? Both of those rely on ssh setup.

If you don't already have it download lsof. You can run "lsof -p <pid> -a -i" to see any network connections related the process ID you specify so you can tell what the other side of the connection is.

Also run "lsof -i :22" to see if sshd is actually doing a LISTEN. You might try turning off the pid that is LISTENing to see if it stops anything working. It may be you have an application that is automatically opening ssh connections for some reason.

Make sure you run "ps -ef |grep <pid>" to determine any related processes (parents or children) to the ones you found.

Look at logs in /var/adm/syslog directory to see if they provide any additional details.

Check for ~<user>/.ssh/authorized_keys files in the home directories of the users. It may be that even though most users don't use ssh that you've got some that know about and have setup ssh trusts from other machinnes to allow quick login without password.

If you have Windows uers running PuTTY it allows for telnet (port 23) but defaults to ssh (port 22). You may simply have users using ssh without realizing they are due to a default to port 22.