On 05/29/17 04:13 AM, Damien Miller wrote:> On Fri, 26 May 2017, Tomas Kuthan wrote: > >> Hi team, >> >> Any chance my patch introducing new sftp-server option '-t idle_timout' [1,2] >> could be accepted into openssh/openssh-portable? > > I think the best place to implement a idle timeout is in sshd. Then it > could be made per-channel and be able to cover login sessions as well. > > That was requested in https://bugzilla.mindrot.org/show_bug.cgi?id=1338Hi Damien, Thank you for the pointer, much appreciated. In this particular deployment, limiting the idle timeout to sftp sessions only would actually be preferable. High numbers of regular sftp users are expected, with only an occasional admin shell access here and there. What are your reasons for not liking the sftp-server-centric solution? (I admit implementing the timeout in the underlying ssh layer is a more generic solution and it allows for a more graceful tear-down.) I see ssh idle timeout surfaced on the alias a couple times before, but never made it into the code. Are you saying that the idea itself is viable and that a patch could be accepted? Thanks! Tomas
On Mon, 29 May 2017, Tomas Kuthan wrote:> In this particular deployment, limiting the idle timeout to sftp > sessions only would actually be preferable. High numbers of regular > sftp users are expected, with only an occasional admin shell access > here and there. > > What are your reasons for not liking the sftp-server-centric solution? > (I admit implementing the timeout in the underlying ssh layer is a > more generic solution and it allows for a more graceful tear-down.) > > I see ssh idle timeout surfaced on the alias a couple times before, > but never made it into the code. Are you saying that the idea itself > is viable and that a patch could be accepted?The problem is that the mainloop is an old select()-based monster, so adding a decent timer system to it will be ugly and will make it harder to fix later. Once Markus finishes the refactoring that he's working on at the moment, I'm planning on taking a look at cleaning the mainloop up and adding a decent timer mechanism. I'm reticent to add a special-case timer to sftp-server before that happens, though improving sftp's reporting of the underlying ssh connection going away seems like a good idea. -d
On 05/30/17 08:47 AM, Damien Miller wrote:> On Mon, 29 May 2017, Tomas Kuthan wrote: > >> In this particular deployment, limiting the idle timeout to sftp >> sessions only would actually be preferable. High numbers of regular >> sftp users are expected, with only an occasional admin shell access >> here and there. >> >> What are your reasons for not liking the sftp-server-centric solution? >> (I admit implementing the timeout in the underlying ssh layer is a >> more generic solution and it allows for a more graceful tear-down.) >> >> I see ssh idle timeout surfaced on the alias a couple times before, >> but never made it into the code. Are you saying that the idea itself >> is viable and that a patch could be accepted? > > The problem is that the mainloop is an old select()-based monster, so > adding a decent timer system to it will be ugly and will make it harder > to fix later. > > Once Markus finishes the refactoring that he's working on at the moment, > I'm planning on taking a look at cleaning the mainloop up and adding a > decent timer mechanism. > > I'm reticent to add a special-case timer to sftp-server before that > happens, though improving sftp's reporting of the underlying ssh > connection going away seems like a good idea.Hi Damien, Thank you for the background, that was very helpful. Tomas