starred/the-bastion

Fork 0

mirror of https://github.com/ovh/the-bastion.git synced 2026-05-09 08:25:27 +02:00

[GH-ISSUE #482] [Question] disable ttyrec for SCP #124

New issue

Closed

opened 2026-05-07 00:19:12 +02:00 by BreizhHardware · 8 comments

BreizhHardware commented

2026-05-07 00:19:12 +02:00

Owner

Originally created by @SherifNagy on GitHub (Jul 1, 2024).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/482

Whenever I SCP via bastion, the ttyrec records, and sometimes the files are in Gbs, so it files ttyrec directory with the recording which gets sliced to 2.0Gb files, is there away to ignore SCP recordings all together? sometimes when the files are big also the scp just freezes

Originally created by @SherifNagy on GitHub (Jul 1, 2024). Original GitHub issue: https://github.com/ovh/the-bastion/issues/482 Whenever I SCP via bastion, the ttyrec records, and sometimes the files are in Gbs, so it files ttyrec directory with the recording which gets sliced to 2.0Gb files, is there away to ignore SCP recordings all together? sometimes when the files are big also the scp just freezes

BreizhHardware

2026-05-07 00:19:12 +02:00

closed this issue
added the
bug
label

BreizhHardware commented

2026-05-07 00:19:14 +02:00

Author

Owner

@codyro commented on GitHub (Jul 1, 2024):

Maybe https://ovh.github.io/the-bastion/administration/configuration/bastion_conf.html?highlight=ttyrec#ttyrecstealthstdoutpattern in some capacity?

@codyro commented on GitHub (Jul 1, 2024): Maybe https://ovh.github.io/the-bastion/administration/configuration/bastion_conf.html?highlight=ttyrec#ttyrecstealthstdoutpattern in some capacity?

BreizhHardware commented

2026-05-07 00:19:14 +02:00

Author

Owner

@SherifNagy commented on GitHub (Jul 2, 2024):

I am trying this method, with no luck, so

I am using the scp helper script
"ttyrecStealthStdoutPattern": ".* --osh scp --scp-cmd .*", in my /etc/bastion/bastion.conf
this is with script in debug mode: + exec ssh USERNAME@BASTIONFQDN -T -x -oPermitLocalCommand=no -oClearAllForwardings=yes -oRemoteCommand=none -oRequestTTY=no -oForwardAgent=no -- --user root --port 22 --host XXXXXXXX --osh scp --scp-cmd scp#-f#/tmp/solr-7.7.1.tgz_ --mfa-token notrequired

What happens, is the SCP starts, and sometimes gets stuck at the end, and my ttyrec session is the size of the file

solr-7.7.1.tgz_ 74% 122MB 61.9MB/s 00:00 ETA

164M Jul 2 13:33 2024-07-02.13-32-57.398220.113a75ed54fd.sherif.0.scp.0.ttyrec

@SherifNagy commented on GitHub (Jul 2, 2024): I am trying this method, with no luck, so * I am using the scp helper script * "ttyrecStealthStdoutPattern": ".* --osh scp --scp-cmd .*", in my /etc/bastion/bastion.conf * this is with script in debug mode: + exec ssh USERNAME@BASTIONFQDN -T -x -oPermitLocalCommand=no -oClearAllForwardings=yes -oRemoteCommand=none -oRequestTTY=no -oForwardAgent=no -- --user root --port 22 --host XXXXXXXX --osh scp --scp-cmd scp#-f#/tmp/solr-7.7.1.tgz_ --mfa-token notrequired What happens, is the SCP starts, and sometimes gets stuck at the end, and my ttyrec session is the size of the file solr-7.7.1.tgz_ 74% 122MB 61.9MB/s 00:00 ETA 164M Jul 2 13:33 2024-07-02.13-32-57.398220.113a75ed54fd.sherif.0.scp.0.ttyrec

BreizhHardware commented

2026-05-07 00:19:14 +02:00

Author

Owner

@speed47 commented on GitHub (Jul 2, 2024):

Hello,

You're not far from the truth @codyro ;) clearly this option has been added for similar cases, except that it's reserved to actual egress SSH connections and not osh plugins. In the documentation, there is the rsync example because if you want to use rsync through ssh, the bastion is not aware of it (rsync is then "just" a remote command started by ssh), and the only thing the bastion can do to tell you're using rsync is matching the command to be executed on the remote server.

For plugins, this is easier, and it should be the case for scp out of the box, as seen here:
github.com/ovh/the-bastion@3ba789ed34/bin/plugin/open/scp.json (L3)

I quickly tested, and can't seem to be able to reproduce by uploading a file. @SherifNagy which version are you using? Can you confirm the presence of the above configuration on your system?

Are you also using a recent version of ovh-ttyrec? (I suppose you are, because older versions don't support this parameter, but it doesn't hurt to ask!)

@speed47 commented on GitHub (Jul 2, 2024): Hello, You're not far from the truth @codyro ;) clearly this option has been added for similar cases, except that it's reserved to actual egress SSH connections and not `osh` plugins. In the documentation, there is the `rsync` example because if you want to use rsync through ssh, the bastion is not aware of it (rsync is then "just" a remote command started by ssh), and the only thing the bastion can do to tell you're using rsync is matching the command to be executed on the remote server. For plugins, this is easier, and it should be the case for `scp` out of the box, as seen here: https://github.com/ovh/the-bastion/blob/3ba789ed34b0a35d6409c0469248475d9bfa8ee1/bin/plugin/open/scp.json#L3 I quickly tested, and can't seem to be able to reproduce by uploading a file. @SherifNagy which version are you using? Can you confirm the presence of the above configuration on your system? Are you also using a recent version of `ovh-ttyrec`? (I suppose you are, because older versions don't support this parameter, but it doesn't hurt to ask!)

BreizhHardware commented

2026-05-07 00:19:14 +02:00

Author

Owner

@SherifNagy commented on GitHub (Jul 2, 2024):

I am using ovh-ttyrec-1.1.7.1-1 and just updated to latest bastion code 3.16.01

yes, the file is there and "stealth_stdout": true,

The issue happens in scp upload and scp download, the example I showed, was the "download" scp

I am open to run any more tests on my system

@SherifNagy commented on GitHub (Jul 2, 2024): I am using ovh-ttyrec-1.1.7.1-1 and just updated to latest bastion code 3.16.01 yes, the file is there and "stealth_stdout": true, The issue happens in scp upload and scp download, the example I showed, was the "download" scp I am open to run any more tests on my system

BreizhHardware commented

2026-05-07 00:19:15 +02:00

Author

Owner

@speed47 commented on GitHub (Jul 3, 2024):

I can reproduce with scp download (remote server => local machine), but not with scp upload (local machine => remote server).
That's already enough for me to start digging!

@speed47 commented on GitHub (Jul 3, 2024): I can reproduce with scp download (remote server => local machine), but not with scp upload (local machine => remote server). That's already enough for me to start digging!

BreizhHardware commented

2026-05-07 00:19:15 +02:00

Author

Owner

@speed47 commented on GitHub (Jul 3, 2024):

@SherifNagy do you have the possibility to try the issue-482 branch, before I merge it? This fixes it on my side, but as I wasn't able to reproduce the issue with scp download, I'd like to be sure the issue you're observing is not different.

@speed47 commented on GitHub (Jul 3, 2024): @SherifNagy do you have the possibility to try the issue-482 branch, before I merge it? This fixes it on my side, but as I wasn't able to reproduce the issue with scp download, I'd like to be sure the issue you're observing is not different.

BreizhHardware commented

2026-05-07 00:19:15 +02:00

Author

Owner

@SherifNagy commented on GitHub (Jul 3, 2024):

@speed47 that seems to have fixed the ttyrec scp download / upload recording issue :) Thanks!

Still sometime the download / upload gets stuck in random times, I need to check some more stuff on my end and maybe will open another issue when I can confirm what's exactly going in , also OTP for users dosn't work on rocky9 but it's not selinux issue, debugging that as well before I open any other issues :) thanks again for sorting this one out!!

@SherifNagy commented on GitHub (Jul 3, 2024): @speed47 that seems to have fixed the ttyrec scp download / upload recording issue :) Thanks! Still sometime the download / upload gets stuck in random times, I need to check some more stuff on my end and maybe will open another issue when I can confirm what's exactly going in , also OTP for users dosn't work on rocky9 but it's not selinux issue, debugging that as well before I open any other issues :) thanks again for sorting this one out!!

BreizhHardware commented

2026-05-07 00:19:15 +02:00

Author

Owner

@speed47 commented on GitHub (Jul 3, 2024):

Merged the fix which autoclosed the ticket. Don't hesitate to open a new issue if you can reproduce the other issues you're talking about :)

@speed47 commented on GitHub (Jul 3, 2024): Merged the fix which autoclosed the ticket. Don't hesitate to open a new issue if you can reproduce the other issues you're talking about :)

BreizhHardware referenced this issue

2026-05-07 00:20:02 +02:00

[PR #124] [MERGED] fix: scripts: (( )) returns 1 if evaluated to zero #257