Ask a Question

Does the file server disconnect or force authentication of users after a specified period of inactivity?

0 votes
asked Jul 25, 2018 by Paula (290 points)

Is there a setting in SFTP server which defines the max inactivity time for sessions? I'm looking at ServerSettings.MaxSessionDuration, but it's not clear whether it refers to the whole session duration, or only the inactive duration.

Thanks in advance.

1 Answer

0 votes
answered Jul 26, 2018 by Lukas Pokorny (107,310 points)

MaxSessionDuration specifies when SSH session renegotiation is to occur. This does not disconnect the user, it just renegotiates encryption keys. Forcing reauthentication is not supported by the SSH protocol.

Disconnect users after a period of inactivity is not currently supported, although some form of it can be implemented by closing instances of ServerSession obtained through FileServer.Sessions, although detecting inactivity might be tricky.

commented Jul 26, 2018 by Paula (290 points)
"Disconnect users after a period of inactivity is not currently supported" - any chance for it to be in the (near) future?
commented Jul 27, 2018 by Lukas Pokorny (107,310 points)
I guess we should at least make that easier. However, how do you define "inactivity"? Should session that only pings the server wish an "ignore" packet every minute to be considered inactive?
commented Jul 30, 2018 by Paula (290 points)
At a high level, I would define activity as commands issued by SFTP clients as a result of explicit user interaction or scripts (in case of unattended clients). Anything else (and I am aware that this is rather generic) would fall in the category of inactivity.
commented Jul 31, 2018 by Lukas Pokorny (107,310 points)
That's quite tricky, because at the server, there is no way to determine which activity is a result of explicit user interaction. However, I guess we will try adding a LastActivity (DateTime) property (while possibly making it possible to specify which actions are to be consideres 'activity') to ServerSession to make it possible to implement the auto-disconnect feature. I added this to our list of future improvements.
commented Aug 20, 2018 by Paula (290 points)
If the client is configured to keep alive the session (e.g. https://winscp.net/eng/docs/ui_login_connection#keepalives), does FileServer expose events in which we could identify the type of packet received (such as SSH_MSG_IGNORE or SSH_FXP_REALPATH)?
commented Aug 20, 2018 by Lukas Pokorny (107,310 points)
Exposing SSH_MSG_IGNORE event doesn't look like a good idea. These packets are also used to mitigate some kinds of attacks on CBC ciphers, in which case they are send with every packet.
Firing an event for SSH_FXP_REALPATH would be somewhat arbitrary. This is not actually a keep-alive mechanism, it's SFTP protocol's path canonicalization request that doesn't change anything, which makes it possible to misuse it to trick SFTP servers into detecting "ativity". Other SFTP requests such as SSH_FXP_STAT could be used instead. However, it is possible to detect actual file system activity using our virtual file system API (see https://www.rebex.net/file-server/features/virtual-file-systems.aspx).

Related questions

Welcome to Q&A forum for C# and VB.NET developers working with following .NET components:

If you need immediate assistance, please contact us directly.

...