[I] TCP connection leakage issue when using the remote port forwarding feature [mina-sshd]

[via GitHub]

Moonergfp opened a new issue, #663:
URL: https://github.com/apache/mina-sshd/issues/663

   ### Version
   
   2.10.0
   
   ### Bug description
   
   When utilizing the remote port forwarding functionality, I've noticed that 
TCP connections are not being properly closed  between the SSH client process 
and the local port on the SSH client side.The issue occurs intermittently when 
the machine's resources are under significant strain, and currently, I can only 
reproduce it using the IntelliJ IDEA debug functionality.
   
   
![Image](https://github.com/user-attachments/assets/c5608fe6-b573-403f-a5af-41e908893519)
    As depicted in the attached image, these connections fail to close 
correctly  between the SSH client and  "near" component.
   
   
   Steps to Reproduce
   1. start client and server process in debug mode
   **client code**
   ```
    public static void main(String[] args) {
       SshClient sshClient = createSshClient();
       while (true) {
         startRemoteForwarding(sshClient);
         log.info("session is closed. starting next loop");
       }
     }
   
     private static void startRemoteForwarding(SshClient sshClient) {
       try (ClientSession session = sshClient.connect("abc", REMOTE_IP, 
REMOTE_PORT)
               .verify(10, TimeUnit.SECONDS)
               .getSession()) {
         session.auth().verify(10, TimeUnit.SECONDS);
         log.info("start remote port forwarding");
         try (PortForwardingTracker tracker = 
session.createRemotePortForwardingTracker(
                 new SshdSocketAddress(0), new SshdSocketAddress("localhost", 
8001))) {
           while (true) {
             try {
               log.info(" remote port forwarding loop... host:{},port:{}", 
"localhost", 8001);
               TimeUnit.SECONDS.sleep(15);
               if (session.isClosed()) {
                 log.error("session is closed,recreate remote forwarding");
                 break;
               }
             } catch (InterruptedException e) {
               Thread.currentThread().interrupt();
               break;
             }
           }
         }
       } catch (Exception e) {
         e.printStackTrace();
       }
     }
   
     private static SshClient createSshClient() {
       SshClient sshClient = SshClient.setUpDefaultClient();
       sshClient.setIoServiceFactoryFactory(new NettyIoServiceFactoryFactory());
       sshClient.setFilePasswordProvider(FilePasswordProvider.EMPTY);
   
       sshClient.setServerKeyVerifier(new StationKeyVerifier());
       sshClient.setForwardingFilter(AcceptAllForwardingFilter.INSTANCE);
   
       CoreModuleProperties.HEARTBEAT_REQUEST.set(sshClient, 
"keepal...@yeap.com");
       CoreModuleProperties.HEARTBEAT_INTERVAL.set(sshClient, 
Duration.ofSeconds(30));
       CoreModuleProperties.HEARTBEAT_REPLY_WAIT.set(sshClient, 
Duration.ofSeconds(20));
   
       sshClient.start();
       System.out.println("Client started");
       return sshClient;
     }
   
   ```
   
   **server code**
   ```
     public static void main(String[] args) throws IOException {
       SshServer sshServer = SshServer.setUpDefaultServer();
       sshServer.setPort(SSH_PORT);
       sshServer.setIoServiceFactoryFactory(new NettyIoServiceFactoryFactory());
       sshServer.setUserAuthFactories(
               Collections.singletonList(new 
StationUserAuthPublicKeyFactory()));
   
       StationAuthenticator authenticator = new StationAuthenticator();
       sshServer.setPublickeyAuthenticator(authenticator);
   
       String serverHostPrivateKey = "-----BEGIN OPENSSH PRIVATE KEY-----\n" +
               
"b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\n" +
               
"QyNTUxOQAAACBjTjHWMtYW7jP7cTt4FqBJFAqaj3v5vakOcTHh6HZWMAAAAKAiwJe4IsCX\n" +
               
"uAAAAAtzc2gtZWQyNTUxOQAAACBjTjHWMtYW7jP7cTt4FqBJFAqaj3v5vakOcTHh6HZWMA\n" +
               
"AAAECTa0CWNOJuBGfrwO1GeyGeAkFCt0PS2A5r0DQy2rwiFGNOMdYy1hbuM/txO3gWoEkU\n" +
               
"CpqPe/m9qQ5xMeHodlYwAAAAHHJvb3RAaVoyemU0eGh4eW5hODl4NjA4YmQyZ1oB\n" +
               "-----END OPENSSH PRIVATE KEY-----";
       sshServer.setKeyPairProvider(
               session ->
                       SecurityUtils.getKeyPairResourceParser()
                               .loadKeyPairs(
                                       session,
                                       NamedResource.ofName("station-config"),
                                       null,
                                       serverHostPrivateKey));
       sshServer.setCommandFactory(new ProcessShellCommandFactory());
   
       sshServer.setPasswordAuthenticator(null);
       sshServer.setForwardingFilter(AcceptAllForwardingFilter.INSTANCE);
       sshServer.addPortForwardingEventListener(new 
CustomPortForwardingEventListener());
   
       sshServer.start();
       log.info("Server started");
   
       new ChannelProbe(sshServer).start();
       log.info("Probe started");
   
       try {
         Thread.currentThread().join();
       } catch (InterruptedException e) {
         log.info("tunnel station interrupted, stopping", e);
         sshServer.stop();
         Thread.currentThread().interrupt();
       }
     }
   ```
   2. Set Breakpoints
   Navigate to the 
org.apache.sshd.server.forward.TcpipServerChannel#handleChannelConnectResult 
method and set a breakpoint on the line ”if (future.isConnected())“.
   <img width="1065" alt="Image" 
src="https://github.com/user-attachments/assets/d3799df4-2bbc-4e2f-b155-3d6e5440abb7";
 />
   
   The server will automatically initiate a connection to the client. 
Subsequently, the client will automatically connect to port 8001 to establish a 
connection. During this process, the code execution will pause at the 
breakpoint set in the TcpipServerChannel#handleChannelConnectResult method.
   It is recommended that you wait for a while, perhaps a few minutes.After 
that, resume the code execution from the breakpoint.At this point, the session 
will actually be closed. Logically, all connections to port 8001 should also be 
terminated.
   However, when you execute the ss command on the client machine with the 
following filter: ss -lanp |grep 8001 |grep ES |grep java, you will notice that 
some connections remain open and have not been properly closed.
   
   
   
   
   
   
   
   
   
   
   ### Actual behavior
   
   Under resource - constrained conditions and when using IntelliJ IDEA's debug 
mode, connections between the SSH client and the "near" component do not close 
as expected, resulting in resource leakage and potential system instability.
   
   ### Expected behavior
   
   Regardless of the system's resource state, once the SSH client connections 
are closed or the relevant operations are completed, all connections between 
the SSH client and the "near" component should be properly terminated, and 
system resources should be released.
   
   ### Relevant log output
   
   ```Shell
   
   ```
   
   ### Other information
   
   _No response_


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org