SFTP Process IDs?

Could anyone explain to me or provide a link to a page that explains how sftp/sshd IDs work? I'm trying to troubleshoot some issues on a ftp server and am getting confused as to how the ID numbers are assigned.  For example, the following below was pulled from a system's messages log, it starts off on ID 4183, then goes to 4185, then 4186.  How is the ID determinded and how would I know these are all related besides from the username? With regular ftp the ID stays the same from the time it connects to the time it quits.  

Jan 28 11:14:46 sslmftp1 sshd[4183]: Accepted password for test1 from port 57702 ssh2
Jan 28 11:14:47 sslmftp1 sshd[4185]: subsystem request for sftp
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: Starting sftp-server logging for user test1.
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: bad value 0 for SFTP_UMASK, turning umask control off.
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: realpath .
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: realpath /prod/data/test1
Who is Participating?

Improve company productivity with a Business Account.Sign Up

skullnobrainsConnect With a Mentor Commented:
i'm not sure i understand what you expect to find in what log file.

when sftp is used in a normal way, a client will initiate one connection that will be handled by one (forked) sshd process that will spawn one sftpd process. so a "session" will be handled by a single sftpd process with a single PID.

some clients run several parallel sftpd connections or may decide to disconnect and reconnet after each operation. a client could in theory run an intermediate shell and run several sftpd process in turn or in parallel in the same sshd session but it would not really serve any use, and i don't know of a client that does that.
Dave BaldwinFixer of ProblemsCommented:
It looks to me like the numbers are related to the process or program that is running.  First is sshd[4185]: and then there is sftp-server[4186]: which is not exactly the same program or process.  Note that the first line is a request for the sftp-server server (which is on the second line) to start.

Jan 28 11:14:47 sslmftp1 sshd[4185]: subsystem request for sftp
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: Starting sftp-server logging for user test1.

Open in new window

dloszewskiAuthor Commented:
yea, I understand that and I know for a fact that these three processes are related but I'm wondering how the system determines what they're going to be or why they change at all when they don't change during insecure ftp.
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Dave BaldwinFixer of ProblemsCommented:
With plain FTP, I believe you have only one program running for the whole process.  ssh/sftp is broken up into several programs that handle different parts of the job.  That is indicated by the 'subsystem request for sftp' in the first line above.

Maybe this will help: http://en.wikipedia.org/wiki/Secure_Shell  It describes a lot of the pieces that are used with ssh.  Also check out PuTTY which includes in it's download all many different pieces that are used with ssh.  http://www.chiark.greenend.org.uk/~sgtatham/putty/
when doing sftp, you first connect through ssh
in ssh each new connection will cause sshd to fork a new process
then yet another process will be forked when sshd spawns sftp-server

it is easier to visualise if you run pstree on sshd's master process (the one in the pid file)

you cannot expect to predict the ids. the OS will usually increment the last spawned process's id by 1 and move to the next if such a process already exists. some systems randomise the pids or use completely different algorythms but given your example i'd assume this one.

you can get the parent of a process with something like "ps -o ppid PID" and get it's children using "ps --ppid PID". the switches might differ on your os
dloszewskiAuthor Commented:
hmm, so I guess my question is if I'm trying to search for a connection in a log file that's sshd/sftp and am looking for the entire flow from the time the sshd process starts till the time the sftp exits, what would be the best way to do that? I guess I would have to just do everything +/- that PID?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.