How sshd spawns and reuses pids
Damien Miller
djm at mindrot.org
Tue Jul 29 10:23:58 AEST 2025
On Mon, 28 Jul 2025, Zakaria via openssh-unix-dev wrote:
[snip]
> Lastly, here is my most relevant question, Does and How sshd spawns
> and reuses ssh session with previous pids? and how it spawns each
> session processes and allocate its PID?
sshd just starts processes via fork(2), it can't really decide the PIDs
those processes are assigned - that's up to the kernels. Different
kernels use different PID assignment policies; some assign randomly,
some use (basically) last_pid++, some use mininum free PID.
As a general comment, your application should be prepared for PIDs being
reused. It will always happen eventually. If you are using PIDs to
identify processes without detecting when a process exits (e.g. using
eBPF on Linux), then you're setting yourself up for confusion.
> Could it be something like other services which runs sudo commands
> actually yields enumeration through sshd pid range continously until
> it hits previous recent terminated session which activates for as long
> as it runs, and thus produce almost like to my tracking of ssh pids,
> pid collision effect?
Brute-forcing fork(2) until you get the PID you want is basically the
only way for a user-space process to "select" a PID. I'd expect this to
be pretty noisy as, to be effective, a process doing this would need to
create a lot of processes and ideally hold them open until they hit the
PID they wanted.
> I really doubted every conclusion I reached, and I hope if anyone can
> help me on reaching a resolve and understand what is happening and
> help me deliver my dream email application soon to the world, any
> suggestion of place to investigate in sshd configs, service, process
> or anywhere else in Linux e.g. log any attempt to start ssh session
> before it gets started and the code execution which started? Any
> recommendation to do this as part of sshd binary? E.g. I can apply
> some code tweaks on source before compiling?
I don't know what you mean by "log any attempt to start ssh session
before it gets started" - sshd logs pretty much everything it does. You
could try turning on verbose or debug logging to see more of what it is
doing.
-d
More information about the openssh-unix-dev
mailing list