[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

SFTP Process IDs?

Posted on 2014-03-03
6
Medium Priority
?
500 Views
Last Modified: 2014-03-05
Could anyone explain to me or provide a link to a page that explains how sftp/sshd IDs work? I'm trying to troubleshoot some issues on a ftp server and am getting confused as to how the ID numbers are assigned.  For example, the following below was pulled from a system's messages log, it starts off on ID 4183, then goes to 4185, then 4186.  How is the ID determinded and how would I know these are all related besides from the username? With regular ftp the ID stays the same from the time it connects to the time it quits.  

Jan 28 11:14:46 sslmftp1 sshd[4183]: Accepted password for test1 from 192.168.0.1 port 57702 ssh2
Jan 28 11:14:47 sslmftp1 sshd[4185]: subsystem request for sftp
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: Starting sftp-server logging for user test1.
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: bad value 0 for SFTP_UMASK, turning umask control off.
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: realpath .
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: realpath /prod/data/test1
0
Comment
Question by:dloszewski
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39901415
It looks to me like the numbers are related to the process or program that is running.  First is sshd[4185]: and then there is sftp-server[4186]: which is not exactly the same program or process.  Note that the first line is a request for the sftp-server server (which is on the second line) to start.

Jan 28 11:14:47 sslmftp1 sshd[4185]: subsystem request for sftp
Jan 28 11:14:47 sslmftp1 sftp-server[4186]: Starting sftp-server logging for user test1.

Open in new window

0
 

Author Comment

by:dloszewski
ID: 39901434
yea, I understand that and I know for a fact that these three processes are related but I'm wondering how the system determines what they're going to be or why they change at all when they don't change during insecure ftp.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39901458
With plain FTP, I believe you have only one program running for the whole process.  ssh/sftp is broken up into several programs that handle different parts of the job.  That is indicated by the 'subsystem request for sftp' in the first line above.

Maybe this will help: http://en.wikipedia.org/wiki/Secure_Shell  It describes a lot of the pieces that are used with ssh.  Also check out PuTTY which includes in it's download all many different pieces that are used with ssh.  http://www.chiark.greenend.org.uk/~sgtatham/putty/
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 27

Expert Comment

by:skullnobrains
ID: 39901840
when doing sftp, you first connect through ssh
in ssh each new connection will cause sshd to fork a new process
then yet another process will be forked when sshd spawns sftp-server

it is easier to visualise if you run pstree on sshd's master process (the one in the pid file)

you cannot expect to predict the ids. the OS will usually increment the last spawned process's id by 1 and move to the next if such a process already exists. some systems randomise the pids or use completely different algorythms but given your example i'd assume this one.

you can get the parent of a process with something like "ps -o ppid PID" and get it's children using "ps --ppid PID". the switches might differ on your os
0
 

Author Comment

by:dloszewski
ID: 39903035
hmm, so I guess my question is if I'm trying to search for a connection in a log file that's sshd/sftp and am looking for the entire flow from the time the sshd process starts till the time the sftp exits, what would be the best way to do that? I guess I would have to just do everything +/- that PID?
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 2000 total points
ID: 39906161
i'm not sure i understand what you expect to find in what log file.

when sftp is used in a normal way, a client will initiate one connection that will be handled by one (forked) sshd process that will spawn one sftpd process. so a "session" will be handled by a single sftpd process with a single PID.

some clients run several parallel sftpd connections or may decide to disconnect and reconnet after each operation. a client could in theory run an intermediate shell and run several sftpd process in turn or in parallel in the same sshd session but it would not really serve any use, and i don't know of a client that does that.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses
Course of the Month13 days, 8 hours left to enroll

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question