sshd runs with -R flag?
Darren Tucker
dtucker at zip.com.au
Thu Jan 13 00:25:38 EST 2005
Robert Watson wrote:
> After installation everything seems to work well, but I notice that all
> of the child sshd daemons are running with a flag '-R' i.e.
[...]
> Why is that? (the -4 option I added myself, in the startup file).
>
> The -R doesn't seem to be documented anywhere and the archives of this
> list didn't reveal anything obvious.
Starting with 3.9x, sshd will re-exec itself for every connection. This
means that any exec-time process randomization (eg library offsets,
propolice canaries) will be different for each connection. (For a
thorough overview of what OpenBSD does, see [1]. Most platforms don't
have these, however this will hopefully change over time, for example if
the propolice patches get integrated into gcc).
sshd needs to do some things a little differently after it's re-execed
itself. -R is an internal flag that causes those changes in behaviour.
> Have I mis-configured something? I wonder if there is a problem with
> privilege seperation - I wasn't expecting to see so many processes
> running as root.
No, it looks normal. When PrivilegeSeparation is enabled, you will have
two sshds per connected user (with the exception of root logins), one
running as root (the "monitor") and one running as the logged-in user
(the "slave").
[1] http://www.openbsd.org/papers/auug04/
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list