Osx process monitor6/25/2023 ![]() Note that on macOS the default built in shells (as seen in /etc/shells) are /bin/bash, /bin/csh, /bin/dash, /bin/ksh, /bin/sh, /bin/tcsh, and /bin/zsh.įrom a Splunk perspective there shouldn’t be anything too complicated here. Rather than loading a LaunchDaemon, a user can enable remote logins from the command line by using the systemsetup command.Īs long as your tooling allows you to make connections via parent child relationships all you need to do is look for any time a shell is created where the parent of that shell is sshd. In fact, I’d argue the enabling of remote logins done via System Preferences is less of a concern than if someone was to do it from the command line. ![]() Finally, the second sshd instance will spawn a shell from which all future commands that the user enters will originate.īefore moving on, it’s important to note that there are other ways to enable the SSHD service. By this, I mean to say that neither of the sshd services seen above will act as a “master” for additional logins. Note however, that if another login occurs while this login is ongoing, all of the same processes seen above are created again. And yes, two sshd processes are created when a login occurs. This tiny binary quickly handles a few checks before exec’ing into sshd. First we see sshd-keygen-wrapper get created. All processes below smd in the above screenshot will exist after a login attempt occurs with the exception of the zsh shell which occurs after the login is successful. The smd service handles multiple different remote login services as well as other items that you enable or disable via the system preferences. This is also the reason there aren’t any signs of an SSH service listener in your ps output until you attempt to log in. (For more on the TrueTree model go check out my previous blog posts ). In fact, using TrueTree was the only way I even realized that smd played a role in the management of SSH. If you look at standard ps output, you’ll notice that this tree looks a bit different. ![]() This shell is whatever shell the user has set as their default. After the authentication process, an interactive shell is spawned on the system that will carry out the commands at the user’s request. You shouldn’t need much introduction here. ![]() It’s launchagent can be seen at /System/Library/LaunchAgents/ where it is loaded at start up with the undocumented -l argument. It is not actually required in order for a user to log in via username and password. In fact, this process is probably running on your system even if SSH is disabled! It’s best known for the management of SSH keys. There are some use cases where sshd-keygen-wrapper performs some different actions, but on most SSH setups the process does exactly what the name implies.ĭespite its name, ssh-agent is not actually the service listening for SSH connections. It often immediately exec’s into the sshd service. This sshd helper process kicks off on a login attempt. This is probably the most common service that comes to mind when dealing with SSH. When you attempt to log in to a system multiple instances of sshd are kicked off in order to handle the login process and the user session. Over time Apple has moved more responsibility into this daemon. The smd binary (or presumably Service Management Daemon) is what actually controls whether or not SSH is enabled or disabled. Here they are, each with a brief summary of their responsibilities. To understand how to best track different SSH behaviors, we first have to familiarize ourselves with the different binaries that play a role in creating an SSH session.
0 Comments
Leave a Reply. |