dumplingmiku/ubicloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dependabot/docker/docker-dependencies-4f2858cbd4
ubicloud/prog/bootstrap_rhizome.rb
Daniel Farina 22f3aa5c1d Terminate SSH sessions promptly and their processes 
This is done with two configuration changes: one, to use ClientAlive
settings in the SSH server to take action on connections without a
responsive client, and secondly, to use `logind` configuration to
specify that processes that belong to that session are to be
terminated rather than re-parented as orphans.

A downside is that running `ssh` with even a single `-v` (verbose)
flag will spam annoying messages to the screen during the session.  I
have often used the lowest level of verbosity to supervise at what
stage an establishing connection is hanging or slow at, now I cannot
leave that flag on anymore.

Verification is a bit of a pain. First, it's best to have two paths to
the test computer, e.g. allocate two VMs, where one acts as a SSH jump
host to a test VM, as well as connecting to the test VM directly from
your laptop: that way you can cut network access to the jump host and
observe the results.

Secondly, it's important to know that signal propagation in SSH is
different if a `pty` is allocated (e.g. for interactive mode): with a
`pty`, SIGHUP is propagated, and most processes will decide to exit at
that point.  Without a `pty`, there is no signal.  So, when testing
this, it is better to do something like:

    ssh host sleep 3600

To start a session that is non-interactive, and waits.  By omitting
the changes in this patch, you should be able to see `sleep` hanging
around after the SSH server has closed the forked SSH process because
of a non-responsive client.  You can use `pstree -s` to check its
parentage.

From the session with the jump host, start such a hanging command.
Then, on your other connection, drop TCP packets to the jump host's
address, by running `nft -f` on nftable rules like this, substituting
the `saddr` for the jump host address:

    add table inet filter
    flush table inet filter
    table inet filter {
      chain input {
        type filter hook input priority filter; policy accept;
        ip6 saddr 2a01:4f8:2b01:d85:214a::2 tcp dport 22 drop
      }
    }

By using commands like `w` and `loginctl list-sessions`, you should
see the process disappear momentarily.

If you need to re-set the test and allow the jump host to send traffic
again, use `nft -f` again with:

    delete table inet filter;
2025-02-13 15:15:25 -08:00

2.4 KiB
Raw Permalink Blame History

View Raw
Reference in New Issue View Git Blame Copy Permalink