Re: New shell server transition
Posted: Thu May 17, 2018 7:17 pm
A few notes:
I'm definitely running afoul of some sort of idle timeout, and it's in not very many minutes (though I haven't yet measured the exact duration). This is with bash. I haven't yet changed any ssh settings, but according to the documentation, TCP keepalive is enabled by default, which should both keep the TCP connection from dropping and keep the NAT mapping from timing out (as long as the keepalive interval is shorter than the NAT timeout). I haven't tried fiddling with ServerAliveInterval yet.
There doesn't seem to be a way to disable the motd at login without also disabling the "last login" message (and possibly other messages of interest). The old server honored the .no-motd flag file, but the new one ignores it. Using .hushlogin is overly heavy-handed.
The new server doesn't add ~/bin to PATH globally, which the old one did. Perhaps this was intentional, since binaries built for oldshell won't necessarily work (due to missing libraries), but it means that some tweaking of local startup scripts is needed to get that effect.
The chroot containerization unfortunately separates multiple sessions from the same user. On oldshell, when something I'm running goes out to lunch, I can log in another session and kill the offending process, but that's not possible on the new server. It would be better if the containers could be per-userid rather than per-session, though I don't know how easy that would be to implement. A kludgy workaround might be to have special versions of ps and kill that could reach outside the chroot jail (while still being userid-constrained). And of course, if any real use is made of groups, containers would need to be per-group.
Fred Wright
I'm definitely running afoul of some sort of idle timeout, and it's in not very many minutes (though I haven't yet measured the exact duration). This is with bash. I haven't yet changed any ssh settings, but according to the documentation, TCP keepalive is enabled by default, which should both keep the TCP connection from dropping and keep the NAT mapping from timing out (as long as the keepalive interval is shorter than the NAT timeout). I haven't tried fiddling with ServerAliveInterval yet.
There doesn't seem to be a way to disable the motd at login without also disabling the "last login" message (and possibly other messages of interest). The old server honored the .no-motd flag file, but the new one ignores it. Using .hushlogin is overly heavy-handed.
The new server doesn't add ~/bin to PATH globally, which the old one did. Perhaps this was intentional, since binaries built for oldshell won't necessarily work (due to missing libraries), but it means that some tweaking of local startup scripts is needed to get that effect.
The chroot containerization unfortunately separates multiple sessions from the same user. On oldshell, when something I'm running goes out to lunch, I can log in another session and kill the offending process, but that's not possible on the new server. It would be better if the containers could be per-userid rather than per-session, though I don't know how easy that would be to implement. A kludgy workaround might be to have special versions of ps and kill that could reach outside the chroot jail (while still being userid-constrained). And of course, if any real use is made of groups, containers would need to be per-group.
Fred Wright