search

erlang / otp

Erlang/OTP
http://erlang.org
Apache License 2.0
11.3k stars 2.94k forks source link

ssh connection troubleshooting #8718

Open alexandrejbr opened 1 month ago

alexandrejbr commented 1 month ago

Is your feature request related to a problem? Please describe. For troubleshooting purposes, we would like to be able to have more detailed information of setup of the an SSH connection. For instance the proposed algorithms by each role and the authentication methods. This would be useful for both connections that are established successfully and for connections that fail to be established.

What we have in mind is to be able to debug a connection like one would do in openssh with the verbose modes, but since that is perhaps quite ambitious, starting with what each role is proposes for the connection and information about the authentications attempts would already be great. Describe the solution you'd like It's hard to imagine what would be the best way to obtain this information, but I imagine that a callback could work for both roles, even though for the client role the error would come from the result of ssh:connect and then a callback function would be called as well.

Logging also works, but perhaps a bit less flexible.

Do you think it would be interesting to have such troubleshooting capabilities in the ssh application?

u3s commented 2 weeks ago

have you seen ssh_dbg module? it is pretty powerful.

for seeing result of algorithm negotiation I would use: ssh:start(), ssh_dbg:on([alg]).

and for also getting SSH messages leading to negotiation result: ssh:start(), ssh_dbg:on([alg, ssh_messages]).

to get all debug: ssh:start(), ssh_dbg:on().

apply above before establishing connection. should work for both roles. it is based on tracing feature.

alexandrejbr commented 2 weeks ago

I'll have a look and see if it will work for our use case. What we want is to every time an SSH connection is established we want to have this information stored/logged so we can afterwards investigate why a connection could not be established

If we use the traces I imagine we would need to activate this, capture the traces we are interested and later on disable the tracing. Could work.

u3s commented 2 weeks ago

you disable it with ssh_dbg:off.

it might be slightly challenging to predict which connection will fail ... traces and production systems are tricky to combine I'm afraid.

ssh_dbg is not documented feature so you would need to read source to understand how to it works.