Mickel Daelmans | Add to Favorites
2017-Sep-11 10:30 UTC
No more sessions available' / channels not closing issue
Hi all, We've run into a curious issue. We run CentOS 6.5 with openssh installed (OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 by default). We connect to this server through sftp (Subsystem sftp internal-sftp) using the java JSch library. When opening many sftp channels on a single ssh session OpenSsh does not seem to release the sftp channels closed from the client side when there are still sftp channels open that are opened later than the channel that is closed.. Eventually resulting in "No more sessions available". Here is what happens: 1) We open sftp connection (1) to server 2) We open another sftp connection (2) to server (before connection 1 is closed) 3) We close connection 1 before connection 2 is closed 4) Connection 1 will not be released because connection 2 is still open 5) We open connection 3. 6) We close connection 2, but will not be released because connection 3 is still open. Connection 1 will also not be released because 2 is not released etc.. When the connections are closed "lifo" (last in first out) all works as expected. Is this a bug or by design? Is there a way to prevent this "leak"? Is there a way to timeout unused channels (not sessions)? We have MaxSessions raised but those will eventually max out too. Thanks in advance, (apologies if this mail is received twice, seem to have run into an SPF issue) Mickel Daelmans Developer Goeman Borgesiuslaan 77 3515 ET Utrecht T. 030-7551560 W. www.addtofavorites.nl<http://www.addtofavorites.nl/> Alles weten over transactionele e-mail? Volg onze mailroad pagina op LinkedIn<https://www.linkedin.com/company/mailroad> ==De inhoud van deze e-mail, inclusief bijlagen, is vertrouwelijk en enkel bestemd voor de geadresseerde. Indien dit bericht niet voor u is bestemd, verzoeken wij u het te vernietigen, de inhoud daarvan op geen enkele wijze te gebruiken of te openbaren en direct contact met ons op te nemen. Op al onze werkzaamheden zijn onze Algemene Voorwaarden van toepassing, waarin een aansprakelijkheidsbeperking is opgenomen. Onze Algemene Voorwaarden worden op verzoek toegezonden. Add to Favorites B.V. is gevestigd te Utrecht (KvK Utrecht nr. 17228639).
Jakub Jelen
2017-Sep-12 07:57 UTC
No more sessions available' / channels not closing issue
On Mon, 2017-09-11 at 10:30 +0000, Mickel Daelmans | Add to Favorites wrote:> Hi all, > > > > We've run into a curious issue. > > > > We run CentOS 6.5 with openssh installed (OpenSSH_5.3p1, OpenSSL > 1.0.1e-fips 11 Feb 2013 by default). We connect to this server > through sftp (Subsystem sftp internal-sftp) using the java JSch > library. When opening many sftp channels on a single ssh session > OpenSsh does not seem to release the sftp channels closed from the > client side when there are still sftp channels open that are opened > later than the channel that is closed.. Eventually resulting in "No > more sessions available".The obvious questions: Can you reproduce it with OpenSSH client or only with the java library? Can you reproduce it with the latest OpenSSH server? In this old OpenSSH version, it can be cause by many factors. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
Mickel Daelmans | Add to Favorites
2017-Sep-12 09:23 UTC
No more sessions available' / channels not closing issue
Hi Jakub, Thanks for your reply. It can be reproduced with the shell as follows: 1) add the following lines to ssh_config: ControlMaster auto ControlPath ~/.ssh/control:%h:%p:%r 2) Open 2 sftp connections to the same machine sftp user at host 3) exit from the first connection (this will block until you close the second one). If you exit the second with leaving the first open it will exit gracefully. 4) same happens with opening 3 channels. Closing the second blocks until the 3rd is closed. Etc. This will snowball in our case. We usually open a new channel before the last channel is completed and exited. OpenSSH_6.6 does not have this issue. Is there a patch available for the OpenSSH_5.3p1, OpenSSL 1.0.1e-fips (still default for CentOs 6.5) or do we need to upgrade to OpenSsh 6? Thanks, Mickel Daelmans Developer ? Goeman Borgesiuslaan 77 3515 ET Utrecht T. 030-7551560 W. www.addtofavorites.nl ? Alles weten over transactionele e-mail? Volg onze mailroad pagina op LinkedIn ==De inhoud van deze e-mail, inclusief bijlagen, is vertrouwelijk en enkel bestemd voor de geadresseerde. Indien dit bericht niet voor u is bestemd, verzoeken wij u het te vernietigen, de inhoud daarvan op geen enkele wijze te gebruiken of te openbaren en direct contact met ons op te nemen. Op al onze werkzaamheden zijn onze Algemene Voorwaarden van toepassing, waarin een aansprakelijkheidsbeperking is opgenomen. Onze Algemene Voorwaarden worden op verzoek toegezonden. Add to Favorites B.V. is gevestigd te Utrecht (KvK Utrecht nr. 17228639). -----Oorspronkelijk bericht----- Van: Jakub Jelen [mailto:jjelen at redhat.com] Verzonden: dinsdag 12 september 2017 9:58 Aan: Mickel Daelmans | Add to Favorites; openssh-unix-dev at mindrot.org Onderwerp: Re: No more sessions available' / channels not closing issue On Mon, 2017-09-11 at 10:30 +0000, Mickel Daelmans | Add to Favorites wrote:> Hi all, > > > > We've run into a curious issue. > > > > We run CentOS 6.5 with openssh installed (OpenSSH_5.3p1, OpenSSL > 1.0.1e-fips 11 Feb 2013 by default). We connect to this server through > sftp (Subsystem sftp internal-sftp) using the java JSch library. When > opening many sftp channels on a single ssh session OpenSsh does not > seem to release the sftp channels closed from the client side when > there are still sftp channels open that are opened later than the > channel that is closed.. Eventually resulting in "No more sessions > available".The obvious questions: Can you reproduce it with OpenSSH client or only with the java library? Can you reproduce it with the latest OpenSSH server? In this old OpenSSH version, it can be cause by many factors. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.