On Tuesday 15 August 2006 07:53, Darren Tucker wrote:
> Christian Iversen wrote:
> > Hi openssh devs.
> >
> > We submit for your review a patch we have made for sshd, regarding
> > traffic accounting. The native version of openssh does not support
> > traffic accounting, making it quite hard to monitor traffic usage on a
> > per-user basis.
> >
> > The patch in question
> > - Does not log anything except the total amount of data transmitted, when
> > the connection is closed.
> >
> > - Is very simple, only a handful of lines.
> >
> > - Only uses extremely simple integer arithmetic, and therefore
> > correctness is easily verified by reading the patch.
> >
> > - Is enabled by configuration option in sshd_config, and is _disabled_ by
> > default.

> I see no such option (I'm not sure another sshd_config option would help
> your cause, though). Did you attach the version of the patch that you
> intended to?

We didn't actually write that functionality, in case the patch would be
rejected. I'll add it right away if you think there's some chance it could be

> > The motivation for this patch springs from a direct need to have some
> > overview over the bandwidth usage for each user on our system. We have to
> > pay costs per gigabyte transferred, and although this information _could_
> > be gathered from other sources, it would be tedious and very much
> > unusual. Users of proftpd, apache and postfix, do not have to use (say)
> > iptables to log the amount of traffic transmitted.

> Users of proftpd, apache and postfix don't usually have the option to
> run other programs to generate their network traffic.

I'm sorry, but I don't really understand what you are trying to point out? I
mean, I can see that the statement is true, but I don't see the relevance. If
the user uses, say, mutt to read his email, would you actually rather have
mutt do the traffic accounting?

> On a related note, your patch does not appear to account for traffic
> sent and received from port forwards

That, I'll look into. Thanks.

> (it'll count it as it arrives in the encrypted pipe, but not once it goes
> back out over the network).

You mean in the case of remote port forwards? In case the user forwards a port
on, we don't want to count traffic. Or at least, we want to count
it seperately.

> >+ulong bytes_in = 0;
> >+ulong bytes_out = 0;

> [...]
> > extern u_int max_packet_size;
> > +extern u_long bytes_out;
> > +extern u_long bytes_in;

> These types don't exactly match (u_long is preferred).

I'm sorry, what do you mean? Are you referring to the signedness issue below?

> [...]
> > + logit("Accounting: Bytes in/out: %ld/%ld", bytes_in, bytes_out);

> bytes_in and bytes_out are unsigned but the format string is signed.

Oops, my bad. Indeed, that would be a problem if the user transferred more
bytes than there are atoms in the universe ;-)

I'll correct the things you pointed out, and resend the patch shortly.

Christian Iversen
openssh-unix-dev mailing list