hi folks,
we are in the process of conceptualizing a better owner matching
method for iptables, and part of what we want to accomplish is
associating incoming ssh connections with a user id. the *:22 socket
is owned by root, but for every established session, a new sshd is
spawned, which should drop privileges to effectively be the
authenticated user. the following somewhat goes in that direction.
fishbowl:~> ps -eo uid,gid,euid,egid,suid,sgid,args|grep "[s]shd"
0 0 0 0 0 0 /usr/sbin/sshd
0 0 0 0 0 100 /usr/sbin/sshd
as you can see, there's an established ssh session for a user in the
"users" group (gid=100). what i am wondering is why the sgid
(saved gid) is set, but none of the *uid fields. furthermore, why sgid
and not gid or egid? after all, sgid should really be 0 and gid/egid
should be 100.
could someone here enlighten me? i am writing this disconnected from
the 'net, otherwise i'd (also) talk to the openssh people, and i will
forward this email to them as soon as i get an IP again.
oh, and for your info:
fishbowl:~> dpkg -l ssh | grep ^ii
ii ssh 3.0.2p1-8.3 Secure rlogin/rsh/rcp replacement
thanks for any insights!
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
"oh what a tangled web we weave, when first we practice to deceive."
-- shakespeare
Attachment:
pgpBlmpUuidSF.pgp
Description: PGP signature