'sshd priv'에 해당되는 글 1건

  1. 2010.03.26 sshd 프로세스의 [priv] 는 모지?
Linux2010. 3. 26. 17:12
putty로 두개의 창을 ssh를 통해 열었는데,
ps -ef | grep sshd로 하니 아래와 같이 4개의 ssh 데몬이 검색되었다.
root      2050     1  0 Mar24 ?        00:00:00 /usr/sbin/sshd
root     25402  2050  0 10:23 ?        00:00:00 sshd: morpheuz [priv]

morpheuz 25404 25402  0 10:23 ?        00:00:00 sshd: morpheuz@pts/1
root     26343  2050  0 16:53 ?        00:00:00 sshd: morpheuz [priv]
morpheuz 26345 26343  0 16:53 ?        00:00:00 sshd: morpheuz@pts/4
morpheuz 26394 25405  0 17:00 pts/1    00:00:00 grep --color=auto sshd

priv는 previleged의 약자로, 보안을 강화하기 위해
접속은 소켓을 열수 있는 root로 열고
root의 sshd가 chile process를 만들어, 권한을 제한하여 서비스를 해준다.

위의 ps -ef 에서 보이듯,
[root] /usr/sbin/sshd
[root]           + sshd : morpheuz [priv]
[user]                    + sshd : morpheuz@pts/1
[root]           + sshd : morpheuz [priv]
[user]                    + sshd : morpheuz@pts/4
계층구조로 실행되며, 실질적인 권한은 사용자 권한으로 한정시켜, 시스템에 손상을 입히는 행위를 예방한다.

     When a user successfully logs in, sshd does the following:

           1.   If the login is on a tty, and no command has been specified, prints last
                login time and /etc/motd (unless prevented in the configuration file or by
                ~/.hushlogin; see the FILES section).
           2.   If the login is on a tty, records login time.
           3.   Checks /etc/nologin; if it exists, prints contents and quits (unless root).
           4.   Changes to run with normal user privileges.
           5.   Sets up basic environment.
           6.   Reads the file ~/.ssh/environment, if it exists, and users are allowed to
                change their environment.  See the PermitUserEnvironment option in
           7.   Changes to user’s home directory.
           8.   If ~/.ssh/rc exists, runs it; else if /etc/ssh/sshrc exists, runs it; other-
                wise runs xauth.  The “rc” files are given the X11 authentication protocol
                and cookie in standard input.
           9.   Runs user’s shell or command.

[링크 : http://linux.die.net/man/8/sshd]

[링크 : http://www.citi.umich.edu/u/provos/ssh/privsep.html]
[링크 : http://www.citi.umich.edu/u/provos/ssh/privsep-faq.html]

Posted by 구차니