Solved

SFTP Process IDs?

Posted on 2014-03-03
6
474 Views
Last Modified: 2014-03-05
Could anyone explain to me or provide a link to a page that explains how sftp/sshd IDs work? I'm trying to troubleshoot some issues on a ftp server and am getting confused as to how the ID numbers are assigned.  For example, the following below was pulled from a system's messages log, it starts off on ID 4183, then goes to 4185, then 4186.  How is the ID determinded and how would I know these are all related besides from the username? With regular ftp the ID stays the same from the time it connects to the time it quits.  

Jan 28 11:14:46 sslmftp1 sshd[4183]: Accepted password for test1 from 192.168.0.1 port 57702 ssh2
Jan 28 11:14:47 sslmftp1 sshd[4185]: subsystem request for sftp
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: Starting sftp-server logging for user test1.
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: bad value 0 for SFTP_UMASK, turning umask control off.
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: realpath .
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: realpath /prod/data/test1
0
Comment
Question by:dloszewski
  • 2
  • 2
  • 2
6 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39901415
It looks to me like the numbers are related to the process or program that is running.  First is sshd[4185]: and then there is sftp-server[4186]: which is not exactly the same program or process.  Note that the first line is a request for the sftp-server server (which is on the second line) to start.

Jan 28 11:14:47 sslmftp1 sshd[4185]: subsystem request for sftp
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: Starting sftp-server logging for user test1.

Open in new window

0
 

Author Comment

by:dloszewski
ID: 39901434
yea, I understand that and I know for a fact that these three processes are related but I'm wondering how the system determines what they're going to be or why they change at all when they don't change during insecure ftp.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39901458
With plain FTP, I believe you have only one program running for the whole process.  ssh/sftp is broken up into several programs that handle different parts of the job.  That is indicated by the 'subsystem request for sftp' in the first line above.

Maybe this will help: http://en.wikipedia.org/wiki/Secure_Shell  It describes a lot of the pieces that are used with ssh.  Also check out PuTTY which includes in it's download all many different pieces that are used with ssh.  http://www.chiark.greenend.org.uk/~sgtatham/putty/
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 26

Expert Comment

by:skullnobrains
ID: 39901840
when doing sftp, you first connect through ssh
in ssh each new connection will cause sshd to fork a new process
then yet another process will be forked when sshd spawns sftp-server

it is easier to visualise if you run pstree on sshd's master process (the one in the pid file)

you cannot expect to predict the ids. the OS will usually increment the last spawned process's id by 1 and move to the next if such a process already exists. some systems randomise the pids or use completely different algorythms but given your example i'd assume this one.

you can get the parent of a process with something like "ps -o ppid PID" and get it's children using "ps --ppid PID". the switches might differ on your os
0
 

Author Comment

by:dloszewski
ID: 39903035
hmm, so I guess my question is if I'm trying to search for a connection in a log file that's sshd/sftp and am looking for the entire flow from the time the sshd process starts till the time the sftp exits, what would be the best way to do that? I guess I would have to just do everything +/- that PID?
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 500 total points
ID: 39906161
i'm not sure i understand what you expect to find in what log file.

when sftp is used in a normal way, a client will initiate one connection that will be handled by one (forked) sshd process that will spawn one sftpd process. so a "session" will be handled by a single sftpd process with a single PID.

some clients run several parallel sftpd connections or may decide to disconnect and reconnet after each operation. a client could in theory run an intermediate shell and run several sftpd process in turn or in parallel in the same sshd session but it would not really serve any use, and i don't know of a client that does that.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now