Why does sshd
require an absolute path when restarting, e.g /usr/sbin/sshd
rather than sshd
Are there any security implications?
P.S the error message:
# sshd
sshd re-exec requires execution with an absolute path
Why does sshd
require an absolute path when restarting, e.g /usr/sbin/sshd
rather than sshd
Are there any security implications?
P.S the error message:
# sshd
sshd re-exec requires execution with an absolute path
This is specific to OpenSSH from version 3.9 onwards.
For every new connection, sshd will re-execute itself, to ensure that all execute-time randomisations are re-generated for each new connection. In order for sshd to re-execute itself, it needs to know the full path to itself.
Here's a quote from the release notes for 3.9:
- Make sshd(8) re-execute itself on accepting a new connection. This security measure ensures that all execute-time randomisations are reapplied for each connection rather than once, for the master process' lifetime. This includes mmap and malloc mappings, shared library addressing, shared library mapping order, ProPolice and StackGhost cookies on systems that support such things
In any case, it is usually better to restart a service using either its init script (e.g. /etc/init.d/sshd restart
) or using service sshd restart
. If nothing else, it will help you verify that the service will start properly after the next reboot...
(original answer, now irrelevant: My first guess would be that /usr/sbin
isn't in your $PATH.)
This is to prevent someone from injecting a sshd
program somewhere in one of the directories in your PATH
and you inadvertently executing it. This post from 2004 already describes the issue.
sshd
from $PATH
" is a known security flaw, allowing Black Hat to have a different sshd
run
– waltinator
Apr 13 '22 at 19:00