Solved

SFTP Process IDs?

Posted on 2014-03-03
6
480 Views
Last Modified: 2014-03-05
Could anyone explain to me or provide a link to a page that explains how sftp/sshd IDs work? I'm trying to troubleshoot some issues on a ftp server and am getting confused as to how the ID numbers are assigned.  For example, the following below was pulled from a system's messages log, it starts off on ID 4183, then goes to 4185, then 4186.  How is the ID determinded and how would I know these are all related besides from the username? With regular ftp the ID stays the same from the time it connects to the time it quits.  

Jan 28 11:14:46 sslmftp1 sshd[4183]: Accepted password for test1 from 192.168.0.1 port 57702 ssh2
Jan 28 11:14:47 sslmftp1 sshd[4185]: subsystem request for sftp
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: Starting sftp-server logging for user test1.
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: bad value 0 for SFTP_UMASK, turning umask control off.
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: realpath .
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: realpath /prod/data/test1
0
Comment
Question by:dloszewski
  • 2
  • 2
  • 2
6 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39901415
It looks to me like the numbers are related to the process or program that is running.  First is sshd[4185]: and then there is sftp-server[4186]: which is not exactly the same program or process.  Note that the first line is a request for the sftp-server server (which is on the second line) to start.

Jan 28 11:14:47 sslmftp1 sshd[4185]: subsystem request for sftp
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: Starting sftp-server logging for user test1.

Open in new window

0
 

Author Comment

by:dloszewski
ID: 39901434
yea, I understand that and I know for a fact that these three processes are related but I'm wondering how the system determines what they're going to be or why they change at all when they don't change during insecure ftp.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39901458
With plain FTP, I believe you have only one program running for the whole process.  ssh/sftp is broken up into several programs that handle different parts of the job.  That is indicated by the 'subsystem request for sftp' in the first line above.

Maybe this will help: http://en.wikipedia.org/wiki/Secure_Shell  It describes a lot of the pieces that are used with ssh.  Also check out PuTTY which includes in it's download all many different pieces that are used with ssh.  http://www.chiark.greenend.org.uk/~sgtatham/putty/
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 26

Expert Comment

by:skullnobrains
ID: 39901840
when doing sftp, you first connect through ssh
in ssh each new connection will cause sshd to fork a new process
then yet another process will be forked when sshd spawns sftp-server

it is easier to visualise if you run pstree on sshd's master process (the one in the pid file)

you cannot expect to predict the ids. the OS will usually increment the last spawned process's id by 1 and move to the next if such a process already exists. some systems randomise the pids or use completely different algorythms but given your example i'd assume this one.

you can get the parent of a process with something like "ps -o ppid PID" and get it's children using "ps --ppid PID". the switches might differ on your os
0
 

Author Comment

by:dloszewski
ID: 39903035
hmm, so I guess my question is if I'm trying to search for a connection in a log file that's sshd/sftp and am looking for the entire flow from the time the sshd process starts till the time the sftp exits, what would be the best way to do that? I guess I would have to just do everything +/- that PID?
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 500 total points
ID: 39906161
i'm not sure i understand what you expect to find in what log file.

when sftp is used in a normal way, a client will initiate one connection that will be handled by one (forked) sshd process that will spawn one sftpd process. so a "session" will be handled by a single sftpd process with a single PID.

some clients run several parallel sftpd connections or may decide to disconnect and reconnet after each operation. a client could in theory run an intermediate shell and run several sftpd process in turn or in parallel in the same sshd session but it would not really serve any use, and i don't know of a client that does that.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now