[Question] disable ttyrec for SCP

[SherifNagy]

Whenever I SCP via bastion, the ttyrec records, and sometimes the files are in Gbs, so it files ttyrec directory with the recording which gets sliced to 2.0Gb files, is there away to ignore SCP recordings all together? sometimes when the files are big also the scp just freezes

[codyro]

Maybe https://ovh.github.io/the-bastion/administration/configuration/bastion_conf.html?highlight=ttyrec#ttyrecstealthstdoutpattern in some capacity?

[SherifNagy]

I am trying this method, with no luck, so

• I am using the scp helper script
• "ttyrecStealthStdoutPattern": ". --osh scp --scp-cmd .", in my /etc/bastion/bastion.conf
• this is with script in debug mode: + exec ssh USERNAME@BASTIONFQDN -T -x -oPermitLocalCommand=no -oClearAllForwardings=yes -oRemoteCommand=none -oRequestTTY=no -oForwardAgent=no -- --user root --port 22 --host XXXXXXXX --osh scp --scp-cmd scp#-f#/tmp/solr-7.7.1.tgz_ --mfa-token notrequired

What happens, is the SCP starts, and sometimes gets stuck at the end, and my ttyrec session is the size of the file

solr-7.7.1.tgz_ 74% 122MB 61.9MB/s 00:00 ETA

164M Jul 2 13:33 2024-07-02.13-32-57.398220.113a75ed54fd.sherif.0.scp.0.ttyrec

[speed47]

Hello,

You're not far from the truth @codyro ;) clearly this option has been added for similar cases, except that it's reserved to actual egress SSH connections and not osh plugins. In the documentation, there is the rsync example because if you want to use rsync through ssh, the bastion is not aware of it (rsync is then "just" a remote command started by ssh), and the only thing the bastion can do to tell you're using rsync is matching the command to be executed on the remote server.

For plugins, this is easier, and it should be the case for scp out of the box, as seen here: https://github.com/ovh/the-bastion/blob/3ba789ed34b0a35d6409c0469248475d9bfa8ee1/bin/plugin/open/scp.json#L3

I quickly tested, and can't seem to be able to reproduce by uploading a file. @SherifNagy which version are you using? Can you confirm the presence of the above configuration on your system?

Are you also using a recent version of ovh-ttyrec? (I suppose you are, because older versions don't support this parameter, but it doesn't hurt to ask!)

[SherifNagy]

I am using ovh-ttyrec-1.1.7.1-1 and just updated to latest bastion code 3.16.01

yes, the file is there and "stealth_stdout": true,

The issue happens in scp upload and scp download, the example I showed, was the "download" scp

I am open to run any more tests on my system

[speed47]

I can reproduce with scp download (remote server => local machine), but not with scp upload (local machine => remote server). That's already enough for me to start digging!

[speed47]

@SherifNagy do you have the possibility to try the issue-482 branch, before I merge it? This fixes it on my side, but as I wasn't able to reproduce the issue with scp download, I'd like to be sure the issue you're observing is not different.

[SherifNagy]

@speed47 that seems to have fixed the ttyrec scp download / upload recording issue :) Thanks!

Still sometime the download / upload gets stuck in random times, I need to check some more stuff on my end and maybe will open another issue when I can confirm what's exactly going in , also OTP for users dosn't work on rocky9 but it's not selinux issue, debugging that as well before I open any other issues :) thanks again for sorting this one out!!

[speed47]

Merged the fix which autoclosed the ticket. Don't hesitate to open a new issue if you can reproduce the other issues you're talking about :)