-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shell application idle timeouts active without configuration #3928
Comments
I understand it was unexpected to change it in the middle of the 3.1.x series like that. From my perspective, I just thought it'd be better to have conservative defaults especially with regards to security issues. So that's why it was turned off. Indeed,
Once you turn ping ponging on (by setting the environment variable to anything) we start ping ponging so we extend apache's connection timeout of 60 seconds (1 minute). So apache is timing you out in 2.x or below or 3.1.9 with this config. The 5 minutes then ends up being
Yea that's the security issue that this patched. 3.1.0 enabled ping pongs, but without any restrictions. You'll end up having ssh sessions potentially forever, and certainly much longer than any authentication timeout (perhaps even after the account has been disabled!). |
Jeff, |
You must have been lucky. If you generated activity you're OK - think tailing a file that never ends. There's always network activity so apache will keep the connection open. The issue is, if that
Kind of the opposite, it was added to keep the users' shell sessions active. The security patch was what gave us the way to disconnect. Indeed a quick discourse search seems to indicate what I suspected - for years folks have complained about shell sessions disconnecting easily. https://discourse.openondemand.org/search?q=shell%20timeout%20order%3Alatest Here's the history:
|
We recently upgraded a couple of our OnDemand hosts from 3.1.7 to 3.1.9 and have found that the shell application is disconnecting after 1 minute of inactivity. I found the documentation for the Ping Ponging feature that was added recently, but it says this feature should be disabled by default so this change in functionality is unexpected.
None of our hosts had the /etc/ood/config/apps/shell/env file to configure this feature. We have added it to the hosts running 3.1.9 in order to mitigate problems with this change, but I have found that when I set OOD_SHELL_PING_PONG=false it changes the idle timeout from 1 minute to 5 minutes.
I have also confirmed that on the host we reverted to 3.1.7 in a quick attempt to work around the httpd bug that no idle timeout is in effect.
The text was updated successfully, but these errors were encountered: