SSHD – Why Does SSHD Require an Absolute Path?

executablepathSecuritysshd

Why does sshd require an absolute path when restarting, e.g /usr/sbin/sshd rather than sshd

Are there any security implications?

P.S the error message:

# sshd
sshd re-exec requires execution with an absolute path

Best Answer

This is specific to OpenSSH from version 3.9 onwards.

For every new connection, sshd will re-execute itself, to ensure that all execute-time randomisations are re-generated for each new connection. In order for sshd to re-execute itself, it needs to know the full path to itself.

Here's a quote from the release notes for 3.9:

Make sshd(8) re-execute itself on accepting a new connection. This security measure ensures that all execute-time randomisations are reapplied for each connection rather than once, for the master process' lifetime. This includes mmap and malloc mappings, shared library addressing, shared library mapping order, ProPolice and StackGhost cookies on systems that support such things

In any case, it is usually better to restart a service using either its init script (e.g. /etc/init.d/sshd restart) or using service sshd restart. If nothing else, it will help you verify that the service will start properly after the next reboot...

(original answer, now irrelevant: My first guess would be that /usr/sbin isn't in your $PATH.)

Related Solutions

Ssh – Use SSH key authentication with custom user $HOME

It doesn't matter who owns /pkg/. If it would be owned by usera then you would have problems with userb etc. So it must be something else that prevents SSHD from using authorized_keys file. You have to check if this file is writable only by the owner and if it is owned by proper user. The same applies all parent directories.

Decomposition of path specs into longest-common-prefix + suffix

You can do that in a shell loop. The code below should work with all kinds of strange paths with extra slashes; if all your paths are of the form /foo/bar, you can get away with something simpler.

split_common_prefix () {
  path1=$1
  path2=$2
  common_prefix=
  ## Handle initial // specially
  case $path1 in
    //[!/]*) case $path2 in
               //[!/]*) common_prefix=/ path1=${path1#/} path2=${path2#/};;
               *) return;;
             esac;;
    /*) case $path2 in
          /*) :;;
          *) return;;
        esac;;
    *) case $path2 in /*) return;; esac;;
  esac
  ## Normalize multiple slashes
  trailing_slash1= trailing_slash2=
  case $path1 in */) trailing_slash1=/;; esac
  case $path2 in */) trailing_slash2=/;; esac
  path1=$(printf %s/ "$path1" | tr -s / /)
  path2=$(printf %s/ "$path2" | tr -s / /)
  if [ -z "$trailing_slash1" ]; then path1=${path1%/}; fi
  if [ -z "$trailing_slash2" ]; then path2=${path2%/}; fi
  ## Handle the complete prefix case (faster, necessary for equality and
  ## for some cases with trailing slashes)
  case $path1 in
    "$path2")
      common_prefix=$path1; path1= path2=
      return;;
    "$path2"/*)
      common_prefix=$path2; path1=${path1#$common_prefix} path2=
      return;;
  esac
  case $path2 in
    "$path1"/*)
      common_prefix=$path1; path1= path2=${path2#$common_prefix}
      return;;
  esac
  ## Handle the generic case
  while prefix1=${path1%%/*} prefix2=${path2%%/*}
        [ "$prefix1" = "$prefix2" ]
  do
    common_prefix=$common_prefix$prefix1/
    path1=${path1#$prefix1/} path2=${path2#$prefix1/}
  done
}

Alternatively, determine the longest common prefix of the two strings and trim it to its last / character (except when the common prefix consists solely of slashes).

Best Answer

Related Solutions

Ssh – Use SSH key authentication with custom user $HOME

Decomposition of path specs into longest-common-prefix + suffix

Related Question