Why does sshd require an absolute path when restarting, e.g /usr/sbin/sshd rather than sshd
Are there any security implications?
P.S the error message:
# sshd
sshd re-exec requires execution with an absolute path
Asked
Active
Viewed 1e+01k times
45
Gilles 'SO- stop being evil'
- 829,060
daisy
- 54,555
2 Answers
41
This is specific to OpenSSH from version 3.9 onwards.
For every new connection, sshd will re-execute itself, to ensure that all execute-time randomisations are re-generated for each new connection. In order for sshd to re-execute itself, it needs to know the full path to itself.
Here's a quote from the release notes for 3.9:
- Make sshd(8) re-execute itself on accepting a new connection. This security measure ensures that all execute-time randomisations are reapplied for each connection rather than once, for the master process' lifetime. This includes mmap and malloc mappings, shared library addressing, shared library mapping order, ProPolice and StackGhost cookies on systems that support such things
In any case, it is usually better to restart a service using either its init script (e.g. /etc/init.d/sshd restart) or using service sshd restart. If nothing else, it will help you verify that the service will start properly after the next reboot...
(original answer, now irrelevant: My first guess would be that /usr/sbin isn't in your $PATH.)
Jenny D
- 13,172
-
1Of course its in $PATH, otherwise how can I get that error message from sshd;-P – daisy Jan 15 '14 at 07:38
-
7You mean the error message you didn't mention in your post? – Jenny D Jan 15 '14 at 07:39
-
3My bad, edited the post – daisy Jan 15 '14 at 07:39
11
This is to prevent someone from injecting a sshd program somewhere in one of the directories in your PATH
and you inadvertently executing it. This post from 2004 already describes the issue.
-
1While that post describes the issue correctly, the conclusions drawn in the thread are erroneous. It's not a bug, it's a feature :-) – Jenny D Jan 15 '14 at 08:44
-
-
In the post you linked to, one response was "Bug that crept in through the upgrade to the latest openssh". None of the answers in that thread mentioned the actual reason for requiring a full path - some mentioned the same reason you do, which is very plausible and shows why it's a good idea to use the full path for any program opening login possibilities. But that is not the actual reason for this particular program having that requirement. – Jenny D Jan 15 '14 at 13:39
-
"
sshdfrom$PATH" is a known security flaw, allowing Black Hat to have a differentsshdrun – waltinator Apr 13 '22 at 19:00