Re: sshd proctitle [Re: CVS: cvs.openbsd.org: src]
On Fri, 24 Jan 2020, Stuart Henderson wrote: > That works - etc/rc.d/sshd diff to match as follows: > > Index: sshd > === > RCS file: /cvs/src/etc/rc.d/sshd,v > retrieving revision 1.5 > diff -u -p -r1.5 sshd > --- sshd 22 Jan 2020 13:14:51 - 1.5 > +++ sshd 24 Jan 2020 11:59:52 - > @@ -6,7 +6,7 @@ daemon="/usr/sbin/sshd" > > . /etc/rc.d/rc.subr > > -pexp="sshd: \[listener\].*" > +pexp="sshd: ${daemon}${daemon_flags:+ ${daemon_flags}} \[listener\].*" > > rc_reload() { > ${daemon} ${daemon_flags} -t && pkill -HUP -xf "${pexp}" ok djm
Re: sshd proctitle [Re: CVS: cvs.openbsd.org: src]
On Fri, 24 Jan 2020, Antoine Jacoutot wrote: > Great :-) > Ok aja committed, the proctitle looks like this now in case the rc scripts need further tweaking: $ pgrep -lf sshd 12844 sshd: /usr/sbin/sshd -f /etc/ssh/sshd_config [listener] 0 of 10-100 startups
Re: sshd proctitle [Re: CVS: cvs.openbsd.org: src]
Great :-) Ok aja — Antoine > On 24 Jan 2020, at 13:02, Stuart Henderson wrote: > > On 2020/01/23 21:20, Damien Miller wrote: >>> On Thu, 23 Jan 2020, Damien Miller wrote: >>> On Thu, 23 Jan 2020, Damien Miller wrote: >>> What information would you like there? We could put the first N listen addrs in the proctitle if that would help. >>> >>> Maybe like this: >>> >>> 63817 ?? S0:00.05 sshd: [listen] on [0.0.0.0]:22, [::]:22, 0 of >>> 10-100 >> >> antoine@ said this was not sufficient, so please try the following: >> >> 63817 ?? I0:00.09 sshd: /usr/sbin/sshd [listener] 0 of 10-100 >> startups > > That works - etc/rc.d/sshd diff to match as follows: > > Index: sshd > === > RCS file: /cvs/src/etc/rc.d/sshd,v > retrieving revision 1.5 > diff -u -p -r1.5 sshd > --- sshd22 Jan 2020 13:14:51 -1.5 > +++ sshd24 Jan 2020 11:59:52 - > @@ -6,7 +6,7 @@ daemon="/usr/sbin/sshd" > > . /etc/rc.d/rc.subr > > -pexp="sshd: \[listener\].*" > +pexp="sshd: ${daemon}${daemon_flags:+ ${daemon_flags}} \[listener\].*" > > rc_reload() { >${daemon} ${daemon_flags} -t && pkill -HUP -xf "${pexp}" > > > >> >> diff --git a/sshd.c b/sshd.c >> index f6139fe..b7ed0f3 100644 >> --- a/sshd.c >> +++ b/sshd.c >> @@ -240,6 +240,8 @@ void destroy_sensitive_data(void); >> void demote_sensitive_data(void); >> static void do_ssh2_kex(struct ssh *); >> >> +static char *listener_proctitle; >> + >> /* >> * Close all listening sockets >> */ >> @@ -1032,9 +1034,9 @@ server_accept_loop(int *sock_in, int *sock_out, int >> *newsock, int *config_s) >> */ >>for (;;) { >>if (ostartups != startups) { >> -setproctitle("[listener] %d of %d-%d startups", >> -startups, options.max_startups_begin, >> -options.max_startups); >> +setproctitle("%s [listener] %d of %d-%d startups", >> +listener_proctitle, startups, >> +options.max_startups_begin, options.max_startups); >>ostartups = startups; >>} >>if (received_sighup) { >> @@ -1347,6 +1349,41 @@ accumulate_host_timing_secret(struct sshbuf >> *server_cfg, >>sshbuf_free(buf); >> } >> >> +static void >> +xextendf(char **s, const char *sep, const char *fmt, ...) >> +__attribute__((__format__ (printf, 3, 4))) __attribute__((__nonnull__ >> (3))); >> +static void >> +xextendf(char **sp, const char *sep, const char *fmt, ...) >> +{ >> +va_list ap; >> +char *tmp1, *tmp2; >> + >> +va_start(ap, fmt); >> +xvasprintf(, fmt, ap); >> +va_end(ap); >> + >> +if (*sp == NULL || **sp == '\0') { >> +free(*sp); >> +*sp = tmp1; >> +return; >> +} >> +xasprintf(, "%s%s%s", *sp, sep, tmp1); >> +free(tmp1); >> +free(*sp); >> +*sp = tmp2; >> +} >> + >> +static char * >> +prepare_proctitle(int ac, char **av) >> +{ >> +char *ret = NULL; >> +int i; >> + >> +for (i = 0; i < ac; i++) >> +xextendf(, " ", "%s", av[i]); >> +return ret; >> +} >> + >> /* >> * Main program for the daemon. >> */ >> @@ -1774,6 +1811,7 @@ main(int ac, char **av) >>rexec_argv[rexec_argc] = "-R"; >>rexec_argv[rexec_argc + 1] = NULL; >>} >> +listener_proctitle = prepare_proctitle(ac, av); >> >>/* Ensure that umask disallows at least group and world write */ >>new_umask = umask(0077) | 0022; >> >
Re: sshd proctitle [Re: CVS: cvs.openbsd.org: src]
On 2020/01/23 21:20, Damien Miller wrote: > On Thu, 23 Jan 2020, Damien Miller wrote: > > > On Thu, 23 Jan 2020, Damien Miller wrote: > > > > > What information would you like there? We could put the first N listen > > > addrs in the proctitle if that would help. > > > > Maybe like this: > > > > 63817 ?? S0:00.05 sshd: [listen] on [0.0.0.0]:22, [::]:22, 0 of > > 10-100 > > antoine@ said this was not sufficient, so please try the following: > > 63817 ?? I0:00.09 sshd: /usr/sbin/sshd [listener] 0 of 10-100 > startups That works - etc/rc.d/sshd diff to match as follows: Index: sshd === RCS file: /cvs/src/etc/rc.d/sshd,v retrieving revision 1.5 diff -u -p -r1.5 sshd --- sshd22 Jan 2020 13:14:51 - 1.5 +++ sshd24 Jan 2020 11:59:52 - @@ -6,7 +6,7 @@ daemon="/usr/sbin/sshd" . /etc/rc.d/rc.subr -pexp="sshd: \[listener\].*" +pexp="sshd: ${daemon}${daemon_flags:+ ${daemon_flags}} \[listener\].*" rc_reload() { ${daemon} ${daemon_flags} -t && pkill -HUP -xf "${pexp}" > > diff --git a/sshd.c b/sshd.c > index f6139fe..b7ed0f3 100644 > --- a/sshd.c > +++ b/sshd.c > @@ -240,6 +240,8 @@ void destroy_sensitive_data(void); > void demote_sensitive_data(void); > static void do_ssh2_kex(struct ssh *); > > +static char *listener_proctitle; > + > /* > * Close all listening sockets > */ > @@ -1032,9 +1034,9 @@ server_accept_loop(int *sock_in, int *sock_out, int > *newsock, int *config_s) >*/ > for (;;) { > if (ostartups != startups) { > - setproctitle("[listener] %d of %d-%d startups", > - startups, options.max_startups_begin, > - options.max_startups); > + setproctitle("%s [listener] %d of %d-%d startups", > + listener_proctitle, startups, > + options.max_startups_begin, options.max_startups); > ostartups = startups; > } > if (received_sighup) { > @@ -1347,6 +1349,41 @@ accumulate_host_timing_secret(struct sshbuf > *server_cfg, > sshbuf_free(buf); > } > > +static void > +xextendf(char **s, const char *sep, const char *fmt, ...) > +__attribute__((__format__ (printf, 3, 4))) __attribute__((__nonnull__ > (3))); > +static void > +xextendf(char **sp, const char *sep, const char *fmt, ...) > +{ > + va_list ap; > + char *tmp1, *tmp2; > + > + va_start(ap, fmt); > + xvasprintf(, fmt, ap); > + va_end(ap); > + > + if (*sp == NULL || **sp == '\0') { > + free(*sp); > + *sp = tmp1; > + return; > + } > + xasprintf(, "%s%s%s", *sp, sep, tmp1); > + free(tmp1); > + free(*sp); > + *sp = tmp2; > +} > + > +static char * > +prepare_proctitle(int ac, char **av) > +{ > + char *ret = NULL; > + int i; > + > + for (i = 0; i < ac; i++) > + xextendf(, " ", "%s", av[i]); > + return ret; > +} > + > /* > * Main program for the daemon. > */ > @@ -1774,6 +1811,7 @@ main(int ac, char **av) > rexec_argv[rexec_argc] = "-R"; > rexec_argv[rexec_argc + 1] = NULL; > } > + listener_proctitle = prepare_proctitle(ac, av); > > /* Ensure that umask disallows at least group and world write */ > new_umask = umask(0077) | 0022; >
Re: sshd proctitle [Re: CVS: cvs.openbsd.org: src]
On Thu, 23 Jan 2020, Damien Miller wrote: > On Thu, 23 Jan 2020, Damien Miller wrote: > > > What information would you like there? We could put the first N listen > > addrs in the proctitle if that would help. > > Maybe like this: > > 63817 ?? S0:00.05 sshd: [listen] on [0.0.0.0]:22, [::]:22, 0 of > 10-100 antoine@ said this was not sufficient, so please try the following: 63817 ?? I0:00.09 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups diff --git a/sshd.c b/sshd.c index f6139fe..b7ed0f3 100644 --- a/sshd.c +++ b/sshd.c @@ -240,6 +240,8 @@ void destroy_sensitive_data(void); void demote_sensitive_data(void); static void do_ssh2_kex(struct ssh *); +static char *listener_proctitle; + /* * Close all listening sockets */ @@ -1032,9 +1034,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) */ for (;;) { if (ostartups != startups) { - setproctitle("[listener] %d of %d-%d startups", - startups, options.max_startups_begin, - options.max_startups); + setproctitle("%s [listener] %d of %d-%d startups", + listener_proctitle, startups, + options.max_startups_begin, options.max_startups); ostartups = startups; } if (received_sighup) { @@ -1347,6 +1349,41 @@ accumulate_host_timing_secret(struct sshbuf *server_cfg, sshbuf_free(buf); } +static void +xextendf(char **s, const char *sep, const char *fmt, ...) +__attribute__((__format__ (printf, 3, 4))) __attribute__((__nonnull__ (3))); +static void +xextendf(char **sp, const char *sep, const char *fmt, ...) +{ + va_list ap; + char *tmp1, *tmp2; + + va_start(ap, fmt); + xvasprintf(, fmt, ap); + va_end(ap); + + if (*sp == NULL || **sp == '\0') { + free(*sp); + *sp = tmp1; + return; + } + xasprintf(, "%s%s%s", *sp, sep, tmp1); + free(tmp1); + free(*sp); + *sp = tmp2; +} + +static char * +prepare_proctitle(int ac, char **av) +{ + char *ret = NULL; + int i; + + for (i = 0; i < ac; i++) + xextendf(, " ", "%s", av[i]); + return ret; +} + /* * Main program for the daemon. */ @@ -1774,6 +1811,7 @@ main(int ac, char **av) rexec_argv[rexec_argc] = "-R"; rexec_argv[rexec_argc + 1] = NULL; } + listener_proctitle = prepare_proctitle(ac, av); /* Ensure that umask disallows at least group and world write */ new_umask = umask(0077) | 0022;
Re: sshd proctitle [Re: CVS: cvs.openbsd.org: src]
On Thu, Jan 23, 2020 at 02:36:43PM +1100, Damien Miller wrote: > On Wed, 22 Jan 2020, Stuart Henderson wrote: > > > On 2020/01/21 15:39, Damien Miller wrote: > > > CVSROOT: /cvs > > > Module name: src > > > Changes by: d...@cvs.openbsd.org2020/01/21 15:39:57 > > > > > > Modified files: > > > usr.bin/ssh: sshd.c > > > > > > Log message: > > > expose the number of currently-authenticating connections > > > along with the MaxStartups limit in the proctitle; > > > suggestion from Philipp Marek, w/ feedback from Craig Miskell > > > ok dtucker@ > > > > > > > It's nice to have this information visible, but it brings some problems. > > You can't now distinguish between multiple sshd processes (e.g. if you > > run several on different ports it's hard to figure out which one to > > signal if needed). > > How could you discern between different sshd processes before? Just the > command-line args? Yes. e.g. for 2 different sshd running: root 92105 0.0 0.0 1360 1296 ?? I Wed07AM0:00.05 /usr/sbin/sshd root 68236 0.0 0.0 1372 1364 ?? S 7:08AM0:00.00 /usr/sbin/sshd -f /etc/ssh/sshd_config2 > What information would you like there? We could put the first N listen > addrs in the proctitle if that would help. Can't we put the args back and append the new things we expose? That will also be easier to know which currently-authenticating / MaxStartups sshd process we are talking about if we run several. proctitle bit us in the arse several times in the past with rc.d. My 2 cents, maybe I am talking garbage. -- Antoine
Re: sshd proctitle [Re: CVS: cvs.openbsd.org: src]
On Thu, 23 Jan 2020, Damien Miller wrote: > On Wed, 22 Jan 2020, Stuart Henderson wrote: > > > On 2020/01/21 15:39, Damien Miller wrote: > > > CVSROOT: /cvs > > > Module name: src > > > Changes by: d...@cvs.openbsd.org2020/01/21 15:39:57 > > > > > > Modified files: > > > usr.bin/ssh: sshd.c > > > > > > Log message: > > > expose the number of currently-authenticating connections > > > along with the MaxStartups limit in the proctitle; > > > suggestion from Philipp Marek, w/ feedback from Craig Miskell > > > ok dtucker@ > > > > > > > It's nice to have this information visible, but it brings some problems. > > You can't now distinguish between multiple sshd processes (e.g. if you > > run several on different ports it's hard to figure out which one to > > signal if needed). > > How could you discern between different sshd processes before? Just the > command-line args? > > What information would you like there? We could put the first N listen > addrs in the proctitle if that would help. Maybe like this: 63817 ?? S0:00.05 sshd: [listen] on [0.0.0.0]:22, [::]:22, 0 of 10-100 ok? diff --git a/sshd.c b/sshd.c index ec644c9..15014d1 100644 --- a/sshd.c +++ b/sshd.c @@ -240,6 +240,9 @@ void destroy_sensitive_data(void); void demote_sensitive_data(void); static void do_ssh2_kex(struct ssh *); +/* Listen info for proctitle */ +static char *proctitle_listen_addr; + /* * Close all listening sockets */ @@ -913,7 +916,7 @@ listen_on_addrs(struct listenaddr *la) { int ret, listen_sock; struct addrinfo *ai; - char ntop[NI_MAXHOST], strport[NI_MAXSERV]; + char *cp, ntop[NI_MAXHOST], strport[NI_MAXSERV]; for (ai = la->addrs; ai; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) @@ -973,6 +976,15 @@ listen_on_addrs(struct listenaddr *la) ntop, strport, la->rdomain == NULL ? "" : " rdomain ", la->rdomain == NULL ? "" : la->rdomain); + if (num_listen_socks < 3) { + cp = proctitle_listen_addr; + xasprintf(_listen_addr, "%s%s[%s]:%s%s%s", + cp == NULL ? "" : cp, cp == NULL ? "" : ", ", + ntop, strport, + la->rdomain == NULL ? "" : " rdomain ", + la->rdomain == NULL ? "" : la->rdomain); + free(cp); + } } } @@ -1030,7 +1042,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) */ for (;;) { if (ostartups != startups) { - setproctitle("[listener] %d of %d-%d startups", + setproctitle("[listen] on %s%s, " + "%d of %d-%d startups", proctitle_listen_addr, + num_listen_socks > 3 ? " [...]" : "", startups, options.max_startups_begin, options.max_startups); ostartups = startups;
Re: sshd proctitle [Re: CVS: cvs.openbsd.org: src]
On Wed, 22 Jan 2020, Stuart Henderson wrote: > On 2020/01/21 15:39, Damien Miller wrote: > > CVSROOT:/cvs > > Module name:src > > Changes by: d...@cvs.openbsd.org2020/01/21 15:39:57 > > > > Modified files: > > usr.bin/ssh: sshd.c > > > > Log message: > > expose the number of currently-authenticating connections > > along with the MaxStartups limit in the proctitle; > > suggestion from Philipp Marek, w/ feedback from Craig Miskell > > ok dtucker@ > > > > It's nice to have this information visible, but it brings some problems. > You can't now distinguish between multiple sshd processes (e.g. if you > run several on different ports it's hard to figure out which one to > signal if needed). How could you discern between different sshd processes before? Just the command-line args? What information would you like there? We could put the first N listen addrs in the proctitle if that would help. -d
Re: sshd proctitle [Re: CVS: cvs.openbsd.org: src]
I guess this needs to be changed again, to retain more info from the original title. Stuart Henderson wrote: > On 2020/01/21 15:39, Damien Miller wrote: > > CVSROOT:/cvs > > Module name:src > > Changes by: d...@cvs.openbsd.org2020/01/21 15:39:57 > > > > Modified files: > > usr.bin/ssh: sshd.c > > > > Log message: > > expose the number of currently-authenticating connections > > along with the MaxStartups limit in the proctitle; > > suggestion from Philipp Marek, w/ feedback from Craig Miskell > > ok dtucker@ > > > > It's nice to have this information visible, but it brings some problems. > You can't now distinguish between multiple sshd processes (e.g. if you > run several on different ports it's hard to figure out which one to > signal if needed). > > The rc.d script also needs updating because it uses pgrep to find the > matching process: > > Index: sshd > === > RCS file: /cvs/src/etc/rc.d/sshd,v > retrieving revision 1.4 > diff -u -p -r1.4 sshd > --- sshd 11 Jan 2018 19:52:12 - 1.4 > +++ sshd 22 Jan 2020 12:52:15 - > @@ -6,6 +6,8 @@ daemon="/usr/sbin/sshd" > > . /etc/rc.d/rc.subr > > +pexp="sshd: \[listener\].*" > + > rc_reload() { > ${daemon} ${daemon_flags} -t && pkill -HUP -xf "${pexp}" > } > >