Hi, I'm doing test with OpenSSH. The question I have
is when I issue "ssh -l test1 localhost", there are
two additional "sshd" daemons spawned - there should
be only one. I don't know why. Appreciate if anybody
can give me some clue. Please make sure to include my
address since I'm not in the list yet. Thanks in
advance.
Below is the procedure:
$ ps -ef | grep sshd
root 4953 1 0 10:04:32 ? 0:00
/usr/local/sbin/sshd
wroger 5088 4751 0 10:29:21 pts/2 0:00 grep
sshd
$
$
$ ssh -l test1 192.168.182.184
test1 at 192.168.182.184's password:
Last login: Thu Oct 24 10:32:32 2002 from unknown
Sun Microsystems Inc. SunOS 5.8 Generic Patch
October 2001
$ ps -ef | grep sshd
test1 5198 5196 0 10:32:47 ? 0:00
/usr/local/sbin/sshd
root 4953 1 0 10:04:32 ? 0:00
/usr/local/sbin/sshd
root 5196 4953 1 10:32:43 ? 0:00
/usr/local/sbin/sshd
$
$ ps -ef | grep ssh
test1 5198 5196 0 10:32:47 ? 0:00
/usr/local/sbin/sshd
root 4953 1 0 10:04:32 ? 0:00
/usr/local/sbin/sshd
wroger 5166 4751 0 10:32:42 pts/2 0:01 ssh -l
test1 192.168.182.184
root 5196 4953 0 10:32:43 ? 0:00
/usr/local/sbin/sshd
$
__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
This is the correct behavior. This is what privilege seperation does After you login it splits into to sections.. the 'user owned' part which drops all root privs and which does 99% of the work, and a root privs part that only does SELECTIVE things that require root to do them. - Ben On Thu, 24 Oct 2002, Roger Wang wrote:> Hi, I'm doing test with OpenSSH. The question I have > is when I issue "ssh -l test1 localhost", there are > two additional "sshd" daemons spawned - there should > be only one. I don't know why. Appreciate if anybody > can give me some clue. Please make sure to include my > address since I'm not in the list yet. Thanks in > advance. > > Below is the procedure: > > $ ps -ef | grep sshd > root 4953 1 0 10:04:32 ? 0:00 > /usr/local/sbin/sshd > wroger 5088 4751 0 10:29:21 pts/2 0:00 grep > sshd > $ > $ > $ ssh -l test1 192.168.182.184 > test1 at 192.168.182.184's password: > Last login: Thu Oct 24 10:32:32 2002 from unknown > Sun Microsystems Inc. SunOS 5.8 Generic Patch > October 2001 > $ ps -ef | grep sshd > test1 5198 5196 0 10:32:47 ? 0:00 > /usr/local/sbin/sshd > root 4953 1 0 10:04:32 ? 0:00 > /usr/local/sbin/sshd > root 5196 4953 1 10:32:43 ? 0:00 > /usr/local/sbin/sshd > $ > $ ps -ef | grep ssh > test1 5198 5196 0 10:32:47 ? 0:00 > /usr/local/sbin/sshd > root 4953 1 0 10:04:32 ? 0:00 > /usr/local/sbin/sshd > wroger 5166 4751 0 10:32:42 pts/2 0:01 ssh -l > test1 192.168.182.184 > root 5196 4953 0 10:32:43 ? 0:00 > /usr/local/sbin/sshd > $ > > > > > __________________________________________________ > Do you Yahoo!? > Y! Web Hosting - Let the expert host your web site > http://webhosting.yahoo.com/ > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >
The only time that I think a person should be concerned is if you have a very constrained process table and a lot of users. It will take up extra process table entries, but that should be about it. -----Original Message----- From: William R. Knox To: Roger Wang Cc: openssh-unix-dev at mindrot.org Sent: 10/25/02 12:50 PM Subject: Re: A question about OpenSSH_3.4p1 on Solaris 8 I assume that the CPU overhead of splitting the processing into the two separate processes involves only the communication between the processes, given that the root process only handled things that have to be handled by root and the user-owned process takes care of everything else - therefore, there should be VERY little increased load as a result of privilege separation (which you can turn off as well, if you like) and only a limited additional memory use (for the additional process). Worth it for the protection, I think. Bill Knox Senior Operating Systems Programmer/Analyst The MITRE Corporation On Fri, 25 Oct 2002, Ben Lindstrom wrote:> Date: Fri, 25 Oct 2002 10:53:38 -0500 (CDT) > From: Ben Lindstrom <mouring at etoh.eviladmin.org> > To: Roger Wang <xiwang17 at yahoo.com> > Cc: openssh-unix-dev at mindrot.org > Subject: Re: A question about OpenSSH_3.4p1 on Solaris 8 > > > > > On Fri, 25 Oct 2002, Roger Wang wrote: > > > Ben, thanks for the reply. > > > > What made me curious is there is only one "sshd" > > daemon generated for commecial SSH - I'm testing both > > commecial SSH and openSSH. > > > > The reason is the commerical version of ssh lumps all root criticaland> non root critical code into one process. They step up or down the > security as they need it. In the past such designs have proven thatany> slighest buffer overflow or bad coding can/will cause a comprisedserver.> > > Appreciate if you can give more input on this. I have > > concern about the performance impact of "sshd". > > > > Never benchmarked it.. But I see one BSD server I connect to has 33people> on it and who knows what else is running on it. It seems to be doing > very well (0.33 load or less). Not dead sure what hardware, but Iknow it> is intel and not multiple processors. > > - Ben > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >_______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev *********************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. ************************************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20021025/d7b413bf/attachment.html