sshd PID changed

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

sshd PID changed

Kizito Porta Balanyà
Hello,

I'm receiving some rare monit messages related to the sshd service.

The service "cygrunsrv sshd" is not restarted (eventviewer is OK), but
sometimes (not always) I get the following alerts:


Alert 1:
PID changed Service checkMatching_sshd
                 Date:        Mon, 09 Mar 2015 16:14:26
                 Description: process PID changed from 1968 to 1744

PPID changed Service checkMatching_sshd
                 Date:        Mon, 09 Mar 2015 16:14:26
                 Description: process PPID changed from 5344 to 2860


Alert 2:
PID changed Service checkMatching_sshd
                 Date:        Mon, 09 Mar 2015 16:14:42
                 Description: process PID changed from 1744 to 2464

PPID changed Service checkMatching_sshd
                 Date:        Mon, 09 Mar 2015 16:14:42
                 Description: process PPID changed from 2860 to 5344


Does the ssh service changes its own pid?

Thanks a lot for your time.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: sshd PID changed

Kizito Porta Balanyà
Hello,

No one is interested in this commented behaviour ?
Or it is expected as designed ?

Thanks a lot for your time.


2015-03-10 10:16 GMT+01:00 Kizito Porta Balanyà <[hidden email]>:

> Hello,
>
> I'm receiving some rare monit messages related to the sshd service.
>
> The service "cygrunsrv sshd" is not restarted (eventviewer is OK), but
> sometimes (not always) I get the following alerts:
>
>
> Alert 1:
> PID changed Service checkMatching_sshd
>                  Date:        Mon, 09 Mar 2015 16:14:26
>                  Description: process PID changed from 1968 to 1744
>
> PPID changed Service checkMatching_sshd
>                  Date:        Mon, 09 Mar 2015 16:14:26
>                  Description: process PPID changed from 5344 to 2860
>
>
> Alert 2:
> PID changed Service checkMatching_sshd
>                  Date:        Mon, 09 Mar 2015 16:14:42
>                  Description: process PID changed from 1744 to 2464
>
> PPID changed Service checkMatching_sshd
>                  Date:        Mon, 09 Mar 2015 16:14:42
>                  Description: process PPID changed from 2860 to 5344
>
>
> Does the ssh service changes its own pid?
>
> Thanks a lot for your time.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: sshd PID changed

Mark Geisert
Kizito Porta Balanyà writes:

> No one is interested in this commented behaviour ?
> Or it is expected as designed ?
>
> Thanks a lot for your time.
>
> 2015-03-10 10:16 GMT+01:00 Kizito Porta Balanyà:
> > I'm receiving some rare monit messages related to the sshd service.
> >
> > The service "cygrunsrv sshd" is not restarted (eventviewer is OK), but
> > sometimes (not always) I get the following alerts:
> >
> >
> > Alert 1:
> > PID changed Service checkMatching_sshd
> >                  Date:        Mon, 09 Mar 2015 16:14:26
> >                  Description: process PID changed from 1968 to 1744
> >
> > PPID changed Service checkMatching_sshd
> >                  Date:        Mon, 09 Mar 2015 16:14:26
> >                  Description: process PPID changed from 5344 to 2860

Are those Windows pids or Cygwin pids?  Was monit built under Cygwin?

Windows processes don't (and can't) change their own pid.  Cygwin processes
don't have a need to do it and I don't know if it's even possible (by
mucking around in the shared data segment).  I feel unclean even suggesting
it might be possible.

What's likely happening is monit is reporting two separate sshd processes as
if it's talking about the same process.  When you login via sshd, another
sshd process is created for your session.

Or perhaps monit is malfunctionally not checking the process startup times
in addition to the process pids to distinguish between them.
HTH,

..mark

Reply | Threaded
Open this post in threaded view
|

Re: sshd PID changed

BGINFO4X
2015-03-11 20:52 GMT+01:00 Mark Geisert <[hidden email]>:

> Kizito Porta Balanyà writes:
>> No one is interested in this commented behaviour ?
>> Or it is expected as designed ?
>>
>> Thanks a lot for your time.
>>
>> 2015-03-10 10:16 GMT+01:00 Kizito Porta Balanyà:
>> > I'm receiving some rare monit messages related to the sshd service.
>> >
>> > The service "cygrunsrv sshd" is not restarted (eventviewer is OK), but
>> > sometimes (not always) I get the following alerts:
>> >
>> >
>> > Alert 1:
>> > PID changed Service checkMatching_sshd
>> >                  Date:        Mon, 09 Mar 2015 16:14:26
>> >                  Description: process PID changed from 1968 to 1744
>> >
>> > PPID changed Service checkMatching_sshd
>> >                  Date:        Mon, 09 Mar 2015 16:14:26
>> >                  Description: process PPID changed from 5344 to 2860
>
> Are those Windows pids or Cygwin pids?  Was monit built under Cygwin?
>

Sorry, I missed your answer.

They are cygwin pids and monit was built under cygwin.


> Windows processes don't (and can't) change their own pid.  Cygwin processes
> don't have a need to do it and I don't know if it's even possible (by
> mucking around in the shared data segment).  I feel unclean even suggesting
> it might be possible.
>
> What's likely happening is monit is reporting two separate sshd processes as
> if it's talking about the same process.  When you login via sshd, another
> sshd process is created for your session.

Yes you are right.

Procmatch matches 3 sshd process. I should use PIDFILE instead.

Thanks a lot.

> Or perhaps monit is malfunctionally not checking the process startup times
> in addition to the process pids to distinguish between them.
> HTH,
>
> ..mark
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Fwd: sshd PID changed

Kizito Porta Balanyà
2015-03-11 20:52 GMT+01:00 Mark Geisert <[hidden email]>:

> Kizito Porta Balanyà writes:
>> No one is interested in this commented behaviour ?
>> Or it is expected as designed ?
>>
>> Thanks a lot for your time.
>>
>> 2015-03-10 10:16 GMT+01:00 Kizito Porta Balanyà:
>> > I'm receiving some rare monit messages related to the sshd service.
>> >
>> > The service "cygrunsrv sshd" is not restarted (eventviewer is OK), but
>> > sometimes (not always) I get the following alerts:
>> >
>> >
>> > Alert 1:
>> > PID changed Service checkMatching_sshd
>> >                  Date:        Mon, 09 Mar 2015 16:14:26
>> >                  Description: process PID changed from 1968 to 1744
>> >
>> > PPID changed Service checkMatching_sshd
>> >                  Date:        Mon, 09 Mar 2015 16:14:26
>> >                  Description: process PPID changed from 5344 to 2860
>
> Are those Windows pids or Cygwin pids?  Was monit built under Cygwin?
>

Sorry, I missed your answer.

They are cygwin pids and monit was built under cygwin.


> Windows processes don't (and can't) change their own pid.  Cygwin processes
> don't have a need to do it and I don't know if it's even possible (by
> mucking around in the shared data segment).  I feel unclean even suggesting
> it might be possible.
>
> What's likely happening is monit is reporting two separate sshd processes as
> if it's talking about the same process.  When you login via sshd, another
> sshd process is created for your session.

Yes you are right.

Procmatch matches 3 sshd process. I should use PIDFILE instead.

Thanks a lot.

> Or perhaps monit is malfunctionally not checking the process startup times
> in addition to the process pids to distinguish between them.
> HTH,
>
> ..mark
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple