--Boundary-00=_Ab42E1errWjv7yh
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


Hi openssh devs.

We submit for your review a patch we have made for sshd, regarding traffic
accounting. The native version of openssh does not support traffic
accounting, making it quite hard to monitor traffic usage on a per-user
basis.

The patch in question
- Does not log anything except the total amount of data transmitted, when the
connection is closed.

- Is very simple, only a handful of lines.

- Only uses extremely simple integer arithmetic, and therefore correctness is
easily verified by reading the patch.

- Is enabled by configuration option in sshd_config, and is _disabled_ by
default.

The motivation for this patch springs from a direct need to have some overview
over the bandwidth usage for each user on our system. We have to pay costs
per gigabyte transferred, and although this information _could_ be gathered
from other sources, it would be tedious and very much unusual. Users of
proftpd, apache and postfix, do not have to use (say) iptables to log the
amount of traffic transmitted.

In the discussion of traffic accounting, one question naturally arises. Why is
it that no one has made this patch before? Actually, this patch has been made
several times over, by different sources. Most by people who run their own
(patched) version of sshd. A few times, a patch similar to the attached one
has been sent to this mailing list. However, for a variety of reasons, they
never got in ssh.

We would very much like to hear your opinion on our patch, and wether you
think it's possible to have it included in ssh or not.


(the actual patch sent lacks the config-file support. We would like to hear
your opinion before we spend time on the final version. We also send a unit
test (run.sh), which can be used to test the traffic accounting system. The
expected amounts given in the file, are approximate)

Thank you for your time.

--
Regards,
Christian Iversen,
Thomas Damgaard Nielsen

--Boundary-00=_Ab42E1errWjv7yh
Content-Type: text/x-diff; charset="us-ascii";
name="openssh-traffic-accounting-patch-3.8.1p1.sarge4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="openssh-traffic-accounting-patch-3.8.1p1.sarge4.patch"

diff -ru openssh-3.8.1p1/packet.c ../openssh-3.8.1p1-debian/packet.c
--- openssh-3.8.1p1/packet.c 2006-08-03 01:35:08.646166473 +0200
+++ ../openssh-3.8.1p1-debian/packet.c 2006-08-03 01:36:21.958529134 +0200
@@ -143,6 +143,9 @@
};
TAILQ_HEAD(, packet) outgoing;

+ulong bytes_in = 0;
+ulong bytes_out = 0;
+
/*
* Sets the descriptors used for communication. Disables encryption until
* packet_set_encryption_key is called.
@@ -562,6 +565,9 @@
cipher_crypt(&send_context, cp, buffer_ptr(&outgoing_packet),
buffer_len(&outgoing_packet));

+ /* Traffic accounting */
+ bytes_out += buffer_len(&outgoing_packet);
+
#ifdef PACKET_DEBUG
fprintf(stderr, "encrypted: ");
buffer_dump(&output);
@@ -732,6 +738,9 @@
cp[4] = padlen;
DBG(debug("send: len %d (includes padlen %d)", packet_length+4, padlen));

+ /* Traffic accounting */
+ bytes_out += packet_length;
+
/* compute MAC over seqnr and packet(length fields, payload, padding) */
if (mac && mac->enabled) {
macbuf = mac_compute(mac, p_send.seqnr,
@@ -1200,6 +1209,9 @@
void
packet_process_incoming(const char *buf, u_int len)
{
+ /* Traffic accounting */
+ bytes_in += len;
+
buffer_append(&input, buf, len);
}

diff -ru openssh-3.8.1p1/packet.h ../openssh-3.8.1p1-debian/packet.h
--- openssh-3.8.1p1/packet.h 2006-08-03 01:35:08.647166314 +0200
+++ ../openssh-3.8.1p1-debian/packet.h 2006-08-02 23:07:40.488690915 +0200
@@ -82,6 +82,8 @@
void tty_parse_modes(int, int *);

extern u_int max_packet_size;
+extern u_long bytes_out;
+extern u_long bytes_in;
u_int packet_set_maxsize(u_int);
#define packet_get_maxsize() max_packet_size

diff -ru openssh-3.8.1p1/sshd.c ../openssh-3.8.1p1-debian/sshd.c
--- openssh-3.8.1p1/sshd.c 2006-08-03 01:35:08.659164410 +0200
+++ ../openssh-3.8.1p1-debian/sshd.c 2006-08-03 00:12:22.195522844 +0200
@@ -1522,6 +1522,8 @@

packet_close();

+ logit("Accounting: Bytes in/out: %ld/%ld", bytes_in, bytes_out);
+
if (use_privsep)
mm_terminate();

--Boundary-00=_Ab42E1errWjv7yh
Content-Type: application/x-shellscript;
name="run.sh"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="run.sh"

#!/bin/sh

[ "$1x" == "x" ] && echo "Usage: $0 " && exit

HOST=$1@localhost
PORT=2200

RAND=$(tempfile)
ZERO=$(tempfile)
JUNK=$(tempfile)

dd if=/dev/zero of=$ZERO bs=1k count=100
dd if=/dev/urandom of=$RAND bs=1k count=100

sync

# Copy files to server

echo "Expect 100k / 0k"
cat $ZERO | ssh -p $PORT $HOST "> /dev/null"
echo "Expect 5k / 0k"
cat $ZERO | ssh -C -p $PORT $HOST "> /dev/null"
echo "Expect 100k / 0k"
cat $RAND | ssh -p $PORT $HOST "> /dev/null"
echo "Expect 100k / 0k"
cat $RAND | ssh -C -p $PORT $HOST "> /dev/null"

echo "Expect 100k / 0k"
scp -P $PORT $ZERO $HOST:$JUNK
echo "Expect 5k / 0k"
scp -C -P $PORT $ZERO $HOST:$JUNK
echo "Expect 100k / 0k"
scp -P $PORT $RAND $HOST:$JUNK
echo "Expect 100k / 0k"
scp -C -P $PORT $RAND $HOST:$JUNK

# Copy files from server

echo "Expect 0k / 100k"
ssh -p $PORT $HOST "cat $ZERO" > /dev/null
echo "Expect 0k / 5k"
ssh -C -p $PORT $HOST "cat $ZERO" > /dev/null
echo "Expect 0k / 100k"
ssh -p $PORT $HOST "cat $RAND" > /dev/null
echo "Expect 0k / 100k"
ssh -C -p $PORT $HOST "cat $RAND" > /dev/null

echo "Expect 0k / 100k"
scp -P $PORT $HOST:$ZERO $JUNK
echo "Expect 0k / 5k"
scp -C -P $PORT $HOST:$ZERO $JUNK
echo "Expect 0k / 100k"
scp -P $PORT $HOST:$RAND $JUNK
echo "Expect 0k / 100k"
scp -C -P $PORT $HOST:$RAND $JUNK

echo "Done"

rm -f $RAND $ZERO

--Boundary-00=_Ab42E1errWjv7yh
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/lis...enssh-unix-dev

--Boundary-00=_Ab42E1errWjv7yh--