How sshd spawns and reuses pids

Jochen Bern Jochen.Bern at binect.de
Tue Jul 29 20:35:06 AEST 2025 

On 28.07.25 23:36, Zakaria wrote:
> ... drove me to analyse every corner in linux system ...
> ... sometimes hours later like today and other days later, and in 
> random times, I get notification of new ssh session was started, and 
> when I login to server to inspect, I find no login session and no 
> hinting traces in netstat, top, secure and messages log, utmp dump etc. 
> I noticed all of session with specific PIDs which is getting reported as 
> was active for very short period of time, are identical to previous 
> sessions I started and have already terminated.
> 
> After observing the server for months, I noticed I get report of new 
> session report whenever I run sudo -i who -a command ...

This is from a rather busy (for our standards), Linux-based SFTP server 
where I looked up the "history" of the sshd PID involved in my own login:

> # grep ' sshd\[26671\]: .* session ' /var/log/secure | sed -e 's/:.. .*://' -e 's/\( user [^b]\).*/\1.../'
> Jul 27 21:05 session opened for user t...
> Jul 27 21:05 session closed for user t...
> Jul 28 07:39 session opened for user C...
> Jul 28 07:39 session closed for user C...
> Jul 28 14:40 session opened for user C...
> Jul 28 14:40 session closed for user C...
> Jul 29 00:25 session opened for user l...
> Jul 29 00:25 session closed for user l...
> Jul 29 03:38 session opened for user C...
> Jul 29 03:38 session closed for user C...
> Jul 29 05:33 session opened for user n...
> Jul 29 05:33 session closed for user n...
> Jul 29 11:58 session opened for user bern by (uid=0)

As you can see, PIDs getting reused for different sessions is a 
perfectly normal thing. The *frequency* at which it happens depends on 
use (is your server's SSH port open to the entire Internet? If yes, 
you're bound to be hit with scans 24/7) and other factors (our SFTP(!) 
server still uses 32 bit PIDs), of course.

Having that said, if you see an *SSH session* being reported when 
running the "sudo -i who -a" command (*without* SSHing into the server 
anew for every time you run it), something's amiss. It'll certainly 
create "sessions" of some kind, so there's room for a misinterpretation, 
depending on what inputs your detector uses, but it shouldn't involve 
sshd, neither for itself nor as in "resurrecting" already-terminated SSH 
sessions.

Since you mention that the server in question is being hosted, would it 
be possible to run the detector and an artificial SSH-logins load on a 
local machine to see whether the symptom appears there as well?

Kind regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4336 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250729/6c8f85a8/attachment-0001.p7s>

More information about the openssh-unix-dev mailing list