How sshd spawns and reuses pids

[Zakaria]

Hi Jochen and everyone,

Thanks so much for getting back to me.

SSH is not open to the internet but I have 1 root process open to the 
internet, which made me suspect the potential of one of those memory 
corruption exploits, and through some sort of payloadable which my EDR 
is unable to detect its rev erse shell for now yet, obtained sudo com 
mands execution capabilities.

When I disable Default use_pty, I no longer can reproduce which now I 
believe a false positive SSH session.

Therefore, what I think and concluded as is happening, is the following. 
UTMP keeps over at least the last 48 hours logs of SSH session PIDs, as 
exited sessions and whenever I run sudo e.g. sudo who -a, it reuses at 
least one of the last exited session processes with known PID which some 
happened to belong to SSH session and is causing the randomness of false 
positives that doubled my suspicions as sometimes uses PID which belongs 
to no longer appearing in UTMP log session thats beyond 48 hours ago and 
doesnt activate any session thus no false positive is triggered yet 
otherwise sudo activates such SSH session for a second as the session 
for sudo command and exits again and triggers false positive.

Once more, adding disable via negating Default use_pty, fixed this issue 
yet it breaks OpenSCAP recommendations, therefore as remediation, going 
to check the session process if was terminated before dispatching new 
SSH session notifications which I noticed in 100% of cases the process 
actually was terminated but logs confusion caused by UTMP, as I know who 
binary relies on UTMP.

And, thanks everyone for your input and helping me see more of what is 
happening in Linux.

Please have a good day.

Zak.