currently it's like this: sshd [listener] | exec | sshd-session [privsep monitor] | | | fork | | | sshd-session [preauth unpriv] | fork (after auth completes) | sshd-session [postauth unpriv] I think the next step will be to move the preauth unpriv process into its own binary. The final step will be to move the postauth unpriv process to a separate binary, as well as (for portable) adding a new ssh-pam-helper binary that will be called by the privsep monitor. At that point, there will be no address-space inheritance and minimal code sharing between the various processes. On Sun, 14 Jul 2024, Lars Noodén wrote: > I realize that the splitting of the sshd binaries is a work in progress. > Nonetheless I am trying to make a diagram of the situation as of 9.8. > How close have I gotten? > > Is it correct that currently for a basic session, binaries are run four > ways? > > 1. A privileged binary to listen for incoming connections (66717 below) > > 2. A privileged session monitor to track the session, for the duration > of the session (1095 below) > > 3. A temporary, unprivileged binary to negotiate the key exchange and > the authentication with the privileged monitor (6801 below) > > 4. An unprivileged binary running as the main account for the duration > of the session (95350 below) > > Here is what I am seeing with ps: > > $ ps -ax -o user,pid,ppid,args | grep [s]shd > root 66717 1 sshd: /usr/sbin/sshd [listener] 0 of 10-100 > startups (sshd) > > $ ps -ax -o user,pid,ppid,args | grep [s]shd > root 66717 1 sshd: /usr/sbin/sshd [listener] 1 of 10-100 > startups (sshd) > root 1095 66717 sshd-session: lars [priv] (sshd-session) > sshd 6801 1095 sshd-session: lars [net] (sshd-session) > > $ ps -ax -o user,pid,ppid,args | grep [s]shd > root 66717 1 sshd: /usr/sbin/sshd [listener] 0 of 10-100 > startups (sshd) > root 1095 66717 sshd-session: lars [priv] (sshd-session) > lars 95350 1095 sshd-session: lars@ttyp1 (sshd-session) > > And here is an ASCII art interpretation sequence, partially based on > Niels Provos' privilege separation diagram from 2003: > > +----------+ > | priv | <========================================= New Connection > | listener | > | (root) | > | | > | | +---------+ > | +--+ priv | > | | | session | > | | | monitor | > | | | (root) | +--------+ > | | | +------------------+ unpriv | > | | | | | net | ==> Key Exchange > | | | | | (sshd) | <== > | | | | | | > | | | | | | ==> Authentication > | | | | | | <== > | | | | <== Req Auth === | | > | | | | = Auth Result => | | > | | | | +--------+ > | | | | > | | | | +---------+ > | | | +------------------+ unpriv | > | | | | | session | > | | | | <== Req PTY ==== | (lars) | > | | | | === Pass PTY ==> | | > | | | | | | ==> Net traffic > | | | | | | <== > +----------+ +---------+ +---------+ > > Have I missed or misinterpreted anything? > > Thanks. > /Lars > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
