OpenSSH GSoC Project

Salvador Fandino sfandino at yahoo.com
Wed Mar 25 18:48:34 EST 2009


----- Original Message ----

> From: Ben Lindstrom <mouring at eviladmin.org>
> To: Salvador Fandino <sfandino at yahoo.com>
> Cc: openssh-unix-dev at mindrot.org
> Sent: Tuesday, March 24, 2009 4:08:10 PM
> Subject: Re: OpenSSH GSoC Project
>
> > - remove the max packet size limitation for read and write operations
> > that forces SFTP clients to send/get data in chunks. File data could be
> > moved directly between the network (actually from the slave SSH process
> > pipes) and the on disk file without going to a memory buffer first.
> 
> I suspect that would break the current RFC draft.  Thus would either an official 
> way to detecting, or an unofficial hack, your talking to an older server.

The draft requires the server to accept at least 32KB packets, but it doesn't limit the maximum size in any way. An entry on the INIT reply could be used to tell the client the maximum packet size.
 
> > - implement an extension to allow rsync over SFTP (ssync :-)
> > 
> > - implement fine grained access control for the SFTP server, limiting
> > which SFTP operations are available (for instance, forbidding directory
> > reading).
> 
> The file permissions should be access control.  Having yet another layer on top 
> of it is silly.  The only valid argument ftp has for doing such garbage is they 
> support an "anonymous" mode where it isn't a real user.

That's like saying that firewalls are useless because access control can be performed at the service level

Being able to stablish policies from a central point would be a real advantage.


> > - implement an extensible SFTP server in a high level language as Perl
> > or Python.
> 
> Ugh.  No thank you.   After dealing with broken scripts at least once a month I 
> have no interest in seeing sftp-server become a script.  Unless you don't use 
> any CPAN modules there is no way to assure that your new sftp-server will be 
> compatible with the perl version installed on the machine (nor is it installed 
> on every class of machine).  As for python it isn't installed by 
> default under every OS.

I am not proposing to replace sftp-server with a Perl script, I am just
saying that it wold be interesting to have an implementation in a high
level language to allow others to extend it in any way they want:
access control, loging, generating content on the fly, triggers,
whatever...

Cheers,

 - Salva


More information about the openssh-unix-dev mailing list