no longer quite OT

Richard L. Hamilton rlhamil at smart.net
Mon Sep 3 09:03:23 UTC 2018 

sh-3.2$ sudo lsof -i tcp:22
COMMAND PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
launchd   1 root    7u  IPv4 0xa42645727d25d561      0t0  TCP *:ssh (LISTEN)
launchd   1 root   11u  IPv6 0xa42645727d258cf9      0t0  TCP *:ssh (LISTEN)
launchd   1 root   15u  IPv6 0xa42645727d258cf9      0t0  TCP *:ssh (LISTEN)
launchd   1 root   16u  IPv4 0xa42645727d25d561      0t0  TCP *:ssh (LISTEN)
sh-3.2$
sh-3.2$ # with an ssh to another system running
sh-3.2$ sudo lsof -i tcp:22
COMMAND   PID    USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
launchd     1    root    7u  IPv4 0xa42645727d25d561      0t0  TCP *:ssh (LISTEN)
launchd     1    root   11u  IPv6 0xa42645727d258cf9      0t0  TCP *:ssh (LISTEN)
launchd     1    root   15u  IPv6 0xa42645727d258cf9      0t0  TCP *:ssh (LISTEN)
launchd     1    root   16u  IPv4 0xa42645727d25d561      0t0  TCP *:ssh (LISTEN)
ssh     95272 rlhamil    4u  IPv4 0xa426457281e19c01      0t0  TCP bigapple.pri:63910->crabapple.pri:ssh (ESTABLISHED)
ssh     95272 rlhamil    5u  IPv4 0xa426457281e19c01      0t0  TCP bigapple.pri:63910->crabapple.pri:ssh (ESTABLISHED)
sh-3.2$
sh-3.2$ # with an incoming ssh also running (from that same system, to make my life easier)
sh-3.2$ sudo lsof -i tcp:22
COMMAND   PID    USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
launchd     1    root    7u  IPv4 0xa42645727d25d561      0t0  TCP *:ssh (LISTEN)
launchd     1    root   11u  IPv6 0xa42645727d258cf9      0t0  TCP *:ssh (LISTEN)
launchd     1    root   15u  IPv6 0xa42645727d258cf9      0t0  TCP *:ssh (LISTEN)
launchd     1    root   16u  IPv4 0xa42645727d25d561      0t0  TCP *:ssh (LISTEN)
launchd     1    root   76u  IPv6 0xa4264572823fdef9      0t0  TCP bigapple.local:ssh->crabapple.local:65025 (ESTABLISHED)
launchd     1    root   77u  IPv6 0xa4264572823fdef9      0t0  TCP bigapple.local:ssh->crabapple.local:65025 (ESTABLISHED)
ssh     95272 rlhamil    4u  IPv4 0xa426457281e19c01      0t0  TCP bigapple.pri:63910->crabapple.pri:ssh (ESTABLISHED)
ssh     95272 rlhamil    5u  IPv4 0xa426457281e19c01      0t0  TCP bigapple.pri:63910->crabapple.pri:ssh (ESTABLISHED)
sshd    95397    root    4u  IPv6 0xa4264572823fdef9      0t0  TCP bigapple.local:ssh->crabapple.local:65025 (ESTABLISHED)
sshd    95397    root    5u  IPv6 0xa4264572823fdef9      0t0  TCP bigapple.local:ssh->crabapple.local:65025 (ESTABLISHED)
sshd    95399 rlhamil    4u  IPv6 0xa4264572823fdef9      0t0  TCP bigapple.local:ssh->crabapple.local:65025 (ESTABLISHED)
sshd    95399 rlhamil    5u  IPv6 0xa4264572823fdef9      0t0  TCP bigapple.local:ssh->crabapple.local:65025 (ESTABLISHED)
sh-3.2$ type sshd
sshd is /usr/sbin/sshd

And for amusement, I then fired up a Linux VM, ssh'd into it, and showed what that looks like on its end:
$ sudo lsof -i tcp:22
COMMAND  PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd    1479    root    3u  IPv4  22371      0t0  TCP *:ssh (LISTEN)
sshd    1479    root    4u  IPv6  22373      0t0  TCP *:ssh (LISTEN)
sshd    2882    root    3u  IPv4  31971      0t0  TCP bigapple-centos.pri:ssh->bigapple.pri:64505 (ESTABLISHED)
sshd    2886 rlhamil    3u  IPv4  31971      0t0  TCP bigapple-centos.pri:ssh->bigapple.pri:64505 (ESTABLISHED)


The sudo is necessary because for non-root, lsof may be built to only show your own processes.  netstat -p is a convenience, but lsof can answer the same questions.

If you're looking at that output deeper than necessary and are confused, the *.pri hosts* happen to be IPv4, while in this particular case, the *.local (multicast DNS/Bonjour/zeroconf) happen to be IPv6 - yes, I have both running locally - although if both are enabled, Bonjour of course advertises both).  In other words, if IPv6 is enabled, sshd listens on both; and when a lookup could find both v4 and v6 addresses, an app may prefer the latter.

I'm not sure why there are two sockets each for IPv4 and IPv6 respectively in LISTEN state for port 22.  As to why there are two incoming processes, maybe that's the privilege separation stuff; but why (on macOS only) there are two file descriptors for each process, both ssh (outgoing) and sshd (incoming), I have no idea.

* an abandoned IETF draft suggested the .pri domain for non-routable private networks, e.g. 192.168.x.y, etc; a fancy DNS configuration that would allow internally visible only use of a registered domain would be better, but that's not practical for my circumstances.


> On Sep 3, 2018, at 01:04, James <jam at tigger.ws> wrote:
> 
> Hi All
> since I’ve been unable to solve passwd-less login on High Sierra I installed port openssh.
> 
> All good except I have  two daemons waiting on port 22. I can easily find the LaunchDaemon for openssh but I cannot fathom how apple run their ssh daemon, or even what it is called.
> 
> I miss linux’s netstat -anp.
> 
> Can anyone help
> thanks
> James
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20180903/49656e49/attachment.sig>

More information about the macports-users mailing list