openssh bugs - Jan 2024 - [Bug 3650] New: [RFE] Implement a global channel timeout mechanism

https://bugzilla.mindrot.org/show_bug.cgi?id=3650

            Bug ID: 3650
           Summary: [RFE] Implement a global channel timeout mechanism
           Product: Portable OpenSSH
           Version: 9.5p1
          Hardware: All
                OS: OpenBSD
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: josh at honorablemenschen.com

The ChannelTimeout directive specifies how long a channel is allowed to
remain idle before it is closed, which (according to bug 3362) is
supposed to be used to enable idle users to be disconnected. 
Unfortunately, it does not work unless you a) know exactly which
channel your user is using and b) only set the timeout for that
channel.  For example:

User A logs into the SSH server with X11 forwarding enabled, then makes
an SSH connection to a remote server.  Once on that server, they start
an Xterm window in the background and work in that.

User B logs into the SSH server and just starts working in that
session.

Which channel timeout should be enabled to disconnect any user that
logs in after being idle for 5 minutes?  If you use session:shell then
user A will be disconnected 5 minutes after they start using the Xterm
window, no matter what they do - because their interactive shell is
idle. If you use x11-connection, then user B will never get
disconnected for being idle, because they are not using X11 forwarding.
 If you use * for the channel, then you have the same problem as with
using the session:shell timeout, with the added bonus that if any users
open other channels then those channels will get disconnected after 5
minutes of idle even if the user is still active in a different
channel.  None of these result in a reliable method of disconnecting
users for being idle (and ONLY for being 100% idle).

What needs to be set up is a *GLOBAL* channel timeout, which has its
idle counter reset when there's activity on *ANY* channel, and
disconnects the user from all open channels when it hits the defined
value.  Otherwise there is no universal method for disconnecting idle
client sessions to replace the previously used
CLientAliveInteval/ClientAliveCountMax functionality that the
ChannelTimout was added to (theoretically) replace.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3650

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 3781
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3781&action=edit
ChannelTimeout global=xxx

This implements a "ChannelTimeout global=xxx" feature that will close
all open channels when no open channel has traffic for this interval

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3650

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Created attachment 3782
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3782&action=edit
regress test

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3650

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Please give this a try

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3650

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Created attachment 3783
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3783&action=edit
cleaner diff

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3650

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3781|0                           |1
        is obsolete|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3650

--- Comment #5 from josh at honorablemenschen.com ---
That certainly looks like what I'm asking for.  Now to figure out how
to rebuild sshd on OpenBSD to test it.  Thanks.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3650

--- Comment #6 from josh at honorablemenschen.com ---
OK, I have done some (admittedly limited) testing with your patch and
it appears to work exactly as advertised.  I suspect that this will
make a number of people happy, given how much of an uproar there was
when the functionality of ClientAliveInterval/ClientAliveCountMax
changed.  Thanks again, and hopefully this will make it into the next
release.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3650

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net
   Attachment #3783|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3650

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3782|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3650

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3783|0                           |1
        is obsolete|                            |
   Attachment #3783|ok?(dtucker at dtucker.net)    |
              Flags|                            |
   Attachment #3784|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #7 from Damien Miller <djm at mindrot.org> ---
Created attachment 3784
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3784&action=edit
cleaned up even more

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3650

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3782|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3650

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3784|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3650

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Blocks|                            |3651
             Status|NEW                         |RESOLVED

--- Comment #8 from Damien Miller <djm at mindrot.org> ---
this has been committed and will be in openssh-9.7, due in a few months


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3651
[Bug 3651] tracking bug for openssh-9.7
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3650

--- Comment #9 from josh at honorablemenschen.com ---
Thank you very much!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.