SFTP Process IDs?

Posted on 2014-03-03
Last Modified: 2014-03-05
Could anyone explain to me or provide a link to a page that explains how sftp/sshd IDs work? I'm trying to troubleshoot some issues on a ftp server and am getting confused as to how the ID numbers are assigned.  For example, the following below was pulled from a system's messages log, it starts off on ID 4183, then goes to 4185, then 4186.  How is the ID determinded and how would I know these are all related besides from the username? With regular ftp the ID stays the same from the time it connects to the time it quits.  

Jan 28 11:14:46 sslmftp1 sshd[4183]: Accepted password for test1 from port 57702 ssh2
Jan 28 11:14:47 sslmftp1 sshd[4185]: subsystem request for sftp
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: Starting sftp-server logging for user test1.
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: bad value 0 for SFTP_UMASK, turning umask control off.
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: realpath .
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: realpath /prod/data/test1
Question by:dloszewski
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39901415
It looks to me like the numbers are related to the process or program that is running.  First is sshd[4185]: and then there is sftp-server[4186]: which is not exactly the same program or process.  Note that the first line is a request for the sftp-server server (which is on the second line) to start.

Jan 28 11:14:47 sslmftp1 sshd[4185]: subsystem request for sftp
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: Starting sftp-server logging for user test1.

Open in new window


Author Comment

ID: 39901434
yea, I understand that and I know for a fact that these three processes are related but I'm wondering how the system determines what they're going to be or why they change at all when they don't change during insecure ftp.
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39901458
With plain FTP, I believe you have only one program running for the whole process.  ssh/sftp is broken up into several programs that handle different parts of the job.  That is indicated by the 'subsystem request for sftp' in the first line above.

Maybe this will help:  It describes a lot of the pieces that are used with ssh.  Also check out PuTTY which includes in it's download all many different pieces that are used with ssh.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 27

Expert Comment

ID: 39901840
when doing sftp, you first connect through ssh
in ssh each new connection will cause sshd to fork a new process
then yet another process will be forked when sshd spawns sftp-server

it is easier to visualise if you run pstree on sshd's master process (the one in the pid file)

you cannot expect to predict the ids. the OS will usually increment the last spawned process's id by 1 and move to the next if such a process already exists. some systems randomise the pids or use completely different algorythms but given your example i'd assume this one.

you can get the parent of a process with something like "ps -o ppid PID" and get it's children using "ps --ppid PID". the switches might differ on your os

Author Comment

ID: 39903035
hmm, so I guess my question is if I'm trying to search for a connection in a log file that's sshd/sftp and am looking for the entire flow from the time the sshd process starts till the time the sftp exits, what would be the best way to do that? I guess I would have to just do everything +/- that PID?
LVL 27

Accepted Solution

skullnobrains earned 500 total points
ID: 39906161
i'm not sure i understand what you expect to find in what log file.

when sftp is used in a normal way, a client will initiate one connection that will be handled by one (forked) sshd process that will spawn one sftpd process. so a "session" will be handled by a single sftpd process with a single PID.

some clients run several parallel sftpd connections or may decide to disconnect and reconnet after each operation. a client could in theory run an intermediate shell and run several sftpd process in turn or in parallel in the same sshd session but it would not really serve any use, and i don't know of a client that does that.

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Layer 2 versus layer 3 10 136
BGP Local Preference 5 77
URL question - What is port 8888? 5 100
Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question