28

before login:

$ ps -elf | grep sshd
5 S root     26135     1  0  80   0 - 13115 ?      17:26 ?        00:00:00 /usr/sbin/sshd
0 S test     26480 21337  0  80   0 -  4154 -      18:41 pts/27   00:00:00 grep --colour=auto sshd

after login:

$ ps -elf | grep sshd
5 S root     26135     1  0  80   0 - 13115 ?      17:26 ?        00:00:00 /usr/sbin/sshd
4 S root     26577 26135  0  80   0 - 24204 ?      18:42 ?        00:00:00 sshd: test [priv] 
5 S test     26582 26577  0  80   0 - 24204 ?      18:42 ?        00:00:00 sshd: test@pts/30 
0 S test     26653 21337  0  80   0 -  4155 -      18:42 pts/27   00:00:00 grep --colour=auto sshd

What are the two processes for?

4 S root     26577 26135  0  80   0 - 24204 ?      18:42 ?        00:00:00 sshd: test [priv] 
5 S test     26582 26577  0  80   0 - 24204 ?      18:42 ?        00:00:00 sshd: test@pts/30

Thanks,

wei
  • 595
  • 1
  • 6
  • 11

1 Answers1

41

Privilege separation - one process that retains root privileges to do things that only root can do, and another that does everything else.

At the time this question was asked, privilege separation was controlled by an option in sshd_config, and the sshd_config man page explained what it was for. Privilege separation became mandatory in version 7.5, so that option and its documentation are gone. I no longer know where to find the canonical documentation of the privilege separation feature, if any such documentation exists.

The last version of the man page item before removal said:

UsePrivilegeSeparation – Specifies whether sshd(8) separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The argument must be yes, no, or sandbox. If UsePrivilegeSeparation is set to sandbox then the pre-authentication unprivileged process is subject to additional restrictions. The default is sandbox.

Martin Prikryl
  • 7,327
  • 2
  • 36
  • 71
  • Thanks for the pointer, after I took a closer look at it, it looks that there are 3 processes created during login, one running in privileged mode, one runs in unprivileged "sshd" user, after authentication finishes, this unprivileged process got killed and a new sshd process created under the login name. Is there anywhere documenting this in detail, e.g. the interactions between these processes? Thanks. – wei Apr 01 '14 at 18:27
  • 5
    @wei, yes, it's documented in http://BXR.SU/OpenBSD/usr.bin/ssh/sshd.c. If you search for `fork`, you'll find that it's used once in [`privsep_preauth()`](http://BXR.SU/OpenBSD/usr.bin/ssh/sshd.c#privsep_preauth) and again in [`privsep_postauth()`](http://BXR.SU/OpenBSD/usr.bin/ssh/sshd.c#privsep_postauth). – cnst Apr 01 '14 at 20:10
  • @WumpusQWumbley, the link provided does not seem to contain any section about UsePrivilegeSeparation. The only reference to privilege separation is at the bottom, in the credits section. Am I missing something? :) – Sorin Postelnicu Apr 26 '18 at 06:12
  • 1
    @SorinPostelnicu You're not, but it appears the OpenBSD project is missing any documentation of privsep. –  Apr 26 '18 at 12:50