0 votes
by (290 points)

Is there a setting in SFTP server which defines the max inactivity time for sessions? I'm looking at ServerSettings.MaxSessionDuration, but it's not clear whether it refers to the whole session duration, or only the inactive duration.

Thanks in advance.

1 Answer

0 votes
by (147k points)

MaxSessionDuration specifies when SSH session renegotiation is to occur. This does not disconnect the user, it just renegotiates encryption keys. Forcing reauthentication is not supported by the SSH protocol.

Disconnect users after a period of inactivity is not currently supported, although some form of it can be implemented by closing instances of ServerSession obtained through FileServer.Sessions, although detecting inactivity might be tricky.

by (290 points)
"Disconnect users after a period of inactivity is not currently supported" - any chance for it to be in the (near) future?
by (147k points)
I guess we should at least make that easier. However, how do you define "inactivity"? Should session that only pings the server wish an "ignore" packet every minute to be considered inactive?
by (290 points)
At a high level, I would define activity as commands issued by SFTP clients as a result of explicit user interaction or scripts (in case of unattended clients). Anything else (and I am aware that this is rather generic) would fall in the category of inactivity.
by (147k points)
That's quite tricky, because at the server, there is no way to determine which activity is a result of explicit user interaction. However, I guess we will try adding a LastActivity (DateTime) property (while possibly making it possible to specify which actions are to be consideres 'activity') to ServerSession to make it possible to implement the auto-disconnect feature. I added this to our list of future improvements.
by (290 points)
If the client is configured to keep alive the session (e.g. https://winscp.net/eng/docs/ui_login_connection#keepalives), does FileServer expose events in which we could identify the type of packet received (such as SSH_MSG_IGNORE or SSH_FXP_REALPATH)?
by (147k points)
Exposing SSH_MSG_IGNORE event doesn't look like a good idea. These packets are also used to mitigate some kinds of attacks on CBC ciphers, in which case they are send with every packet.
Firing an event for SSH_FXP_REALPATH would be somewhat arbitrary. This is not actually a keep-alive mechanism, it's SFTP protocol's path canonicalization request that doesn't change anything, which makes it possible to misuse it to trick SFTP servers into detecting "ativity". Other SFTP requests such as SSH_FXP_STAT could be used instead. However, it is possible to detect actual file system activity using our virtual file system API (see https://www.rebex.net/file-server/features/virtual-file-systems.aspx).
...