[Bug 3484] New: RFE: implement a "sftp_timeout" property on backend to automatically close idle connections

[bugzilla-daemon at mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=3484

            Bug ID: 3484
           Summary: RFE: implement a "sftp_timeout" property on backend to
                    automatically close idle connections
           Product: Portable OpenSSH
           Version: 8.8p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sftp-server
          Assignee: unassigned-bugs at mindrot.org
          Reporter: rmetrich at redhat.com

Currently there is no way for the sftp backend (sftp-server or
internal-sftp) to close idle connections (by idle I mean no order sent
for some time by the sftp client).

This is very problematic for SFTP servers because clients can remain
connected, which consumes file descriptors and resources in general,
causing potentially system limits to be reached.
This is a case I handled recently, where system-wide file descriptors
were exhausted, due to left-opened sftp sessions + corresponding
systemd sessions.

There are "ClientAlive*" properties but these only work for dead
clients.

So far, the only solution I found is to have a script that runs
regularly and checks if /proc/<sftpserver>/fd/0 access time is older
than a certain timestamp, and kill the PID accordingly.

See also Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=2135811.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.