[Bug 3650] New: [RFE] Implement a global channel timeout mechanism

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Jan 9 09:30:51 AEDT 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3650

            Bug ID: 3650
           Summary: [RFE] Implement a global channel timeout mechanism
           Product: Portable OpenSSH
           Version: 9.5p1
          Hardware: All
                OS: OpenBSD
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: josh at honorablemenschen.com

The ChannelTimeout directive specifies how long a channel is allowed to
remain idle before it is closed, which (according to bug 3362) is
supposed to be used to enable idle users to be disconnected. 
Unfortunately, it does not work unless you a) know exactly which
channel your user is using and b) only set the timeout for that
channel.  For example:

User A logs into the SSH server with X11 forwarding enabled, then makes
an SSH connection to a remote server.  Once on that server, they start
an Xterm window in the background and work in that.

User B logs into the SSH server and just starts working in that
session.

Which channel timeout should be enabled to disconnect any user that
logs in after being idle for 5 minutes?  If you use session:shell then
user A will be disconnected 5 minutes after they start using the Xterm
window, no matter what they do - because their interactive shell is
idle. If you use x11-connection, then user B will never get
disconnected for being idle, because they are not using X11 forwarding.
 If you use * for the channel, then you have the same problem as with
using the session:shell timeout, with the added bonus that if any users
open other channels then those channels will get disconnected after 5
minutes of idle even if the user is still active in a different
channel.  None of these result in a reliable method of disconnecting
users for being idle (and ONLY for being 100% idle).

What needs to be set up is a *GLOBAL* channel timeout, which has its
idle counter reset when there's activity on *ANY* channel, and
disconnects the user from all open channels when it hits the defined
value.  Otherwise there is no universal method for disconnecting idle
client sessions to replace the previously used
CLientAliveInteval/ClientAliveCountMax functionality that the
ChannelTimout was added to (theoretically) replace.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list