This is a discussion on Re: Patch for openssh server - openssh ; On Tuesday 15 August 2006 07:53, Darren Tucker wrote: > Christian Iversen wrote: > > Hi openssh devs. > > > > We submit for your review a patch we have made for sshd, regarding > > traffic accounting. The ...
On Tuesday 15 August 2006 07:53, Darren Tucker wrote:
> Christian Iversen wrote:
> > Hi openssh devs.
> > We submit for your review a patch we have made for sshd, regarding
> > traffic accounting. The native version of openssh does not support
> > traffic accounting, making it quite hard to monitor traffic usage on a
> > per-user basis.
> > The patch in question
> > - Does not log anything except the total amount of data transmitted, when
> > the connection is closed.
> > - Is very simple, only a handful of lines.
> > - Only uses extremely simple integer arithmetic, and therefore
> > correctness is easily verified by reading the patch.
> > - Is enabled by configuration option in sshd_config, and is _disabled_ by
> > default.
> I see no such option (I'm not sure another sshd_config option would help
> your cause, though). Did you attach the version of the patch that you
> intended to?
We didn't actually write that functionality, in case the patch would be
rejected. I'll add it right away if you think there's some chance it could be
> > The motivation for this patch springs from a direct need to have some
> > overview over the bandwidth usage for each user on our system. We have to
> > pay costs per gigabyte transferred, and although this information _could_
> > be gathered from other sources, it would be tedious and very much
> > unusual. Users of proftpd, apache and postfix, do not have to use (say)
> > iptables to log the amount of traffic transmitted.
> Users of proftpd, apache and postfix don't usually have the option to
> run other programs to generate their network traffic.
I'm sorry, but I don't really understand what you are trying to point out? I
mean, I can see that the statement is true, but I don't see the relevance. If
the user uses, say, mutt to read his email, would you actually rather have
mutt do the traffic accounting?
> On a related note, your patch does not appear to account for traffic
> sent and received from port forwards
That, I'll look into. Thanks.
> (it'll count it as it arrives in the encrypted pipe, but not once it goes
> back out over the network).
You mean in the case of remote port forwards? In case the user forwards a port
on 127.0.0.1, we don't want to count traffic. Or at least, we want to count
> >+ulong bytes_in = 0;
> >+ulong bytes_out = 0;
> > extern u_int max_packet_size;
> > +extern u_long bytes_out;
> > +extern u_long bytes_in;
> These types don't exactly match (u_long is preferred).
I'm sorry, what do you mean? Are you referring to the signedness issue below?
> > + logit("Accounting: Bytes in/out: %ld/%ld", bytes_in, bytes_out);
> bytes_in and bytes_out are unsigned but the format string is signed.
Oops, my bad. Indeed, that would be a problem if the user transferred more
bytes than there are atoms in the universe ;-)
I'll correct the things you pointed out, and resend the patch shortly.
openssh-unix-dev mailing list