On 20 March 2018 at 14:11, Tinker <[email protected]> wrote: > Hi, > > When connecting to SSHD and authenticating as a user, in what sequence > are various processes launched (shell / shell with "-l" argument / sshd > child / login(1)), and in particular, at what stage are login.conf > settings enforced into the process context by login(1)?
The general rule of thumb is that whatever must be run as root is, everything else is done after privileges have been dropped. sshd didn't use login(1) unless UseLogin was set, and that was removed in the 7.4 release. > I would guess this is what's described by the "LOGIN PROCESS" section > in the sshd(8) man page: > > * A child SSHD process is spawned already at connect time, meaning > prior to step 1, right. > * Steps 1 up to 4 are run as root by the sshd child, > > * login(1) is execve:ed at step "4. Changes to run with normal user > privileges.", and it will login isn't used at all. On OpenBSD, sshd calls the equivalent functions in session.c:do_setusercontext(). On other platforms exactly what happens varies depending on platform and configuration but it's roughly the same. [...] > * execve /bin/sh (or sshd??) to perform the remaining steps (5-9) Steps 5-9 are done by sshd. > > * The user's shell (without "-l") is execve:ed in step 9. > > http://man.openbsd.org/sshd.8#LOGIN_PROCESS > http://man.openbsd.org/login.conf.5 > > Also I'd guess it should be a similar process for SFTP sftp works approximately the same as a shell except sftp-server is exec'ed instead of the shell. >, telnet telnetd is no longer supported but I think it always exec'ed login(1). > other authenticated services. Can't speak to those. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
