What is /usr/sbin/sshd -R?
I saw a curious thing in IDS logs recently. It was a report of an outgoing connection that showed the parent process as /usr/sbin/sshd -R
.
I am aware of the -R
argument to ssh
(client) for remote port forwarding, but have never seen a -R
option to the sshd
daemon.
No -R
appears in man sshd
. What does this argument do?
Solution 1:
Reviewing the source code, the -R
is an undocumented flag which SSHD uses to indicate to a child process that it has been re-executed in order to re-initialze randomization buffers, etc.
Quoting Jenny D from this answer to "Why does sshd requires an absolute path?":
For every new connection, sshd will re-execute itself, to ensure that all execute-time randomisations are re-generated for each new connection. In order for sshd to re-execute itself, it needs to know the full path to itself.
Here's a quote from the release notes for 3.9:
Make sshd(8) re-execute itself on accepting a new connection. This security measure ensures that all execute-time randomisations are reapplied for each connection rather than once, for the master process' lifetime. This includes mmap and malloc mappings, shared library addressing, shared library mapping order, ProPolice and StackGhost cookies on systems that support such things
The -R
is added to the a copy of the command line arguments passed when sshd
will re-execute itself:
if (rexec_flag) {
if (rexec_argc < 0)
fatal("rexec_argc %d < 0", rexec_argc);
rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
for (i = 0; i < (u_int)rexec_argc; i++) {
debug("rexec_argv[%d]='%s'", i, saved_argv[i]);
rexec_argv[i] = saved_argv[i];
}
rexec_argv[rexec_argc] = "-R";
rexec_argv[rexec_argc + 1] = NULL;
}