提升用户体验,需跟上360的节奏!
2013-11-08 13:25
225 查看
SSH Frequently Asked QuestionsWhen I try to use sftp or scp2, I get a message like this:
and the connection fails. What's wrong?
sftp and scp2 both actually work by running ssh in a subprocess, to connect to the remote host and run the file-transfer server (usually named sftp-server). For instance, the command sftp server might result in the following command being run (OpenSSH):
scp2/sftp and sftp-server use a special file-transfer protocol, which they speak over this SSH session. The protocol is in fact based on the same packet protocol used by SSH.
In order for this to work, the SSH session must be "clean" — that is, it must have on it only information transmitted by the programs at either end. What often happens, though, is that there are statements in either the system or per-user shell startup files on the server (.bashrc, .profile, /etc/csh.cshrc, .login, etc.) which output text messages on login, intended to be read by humans (like fortune, echo "Hi there!", etc.). Such code should only produce output on interactive logins, when there is a tty attached to standard input. If it does not make this test, it will insert these text messages where they don't belong: in this case, polluting the protocol stream between scp2/sftp and sftp-server. The first four bytes of the text gets interpreted as a 32-bit packet length, which will usually be a wildly large number, provoking the error message above. Notice that:
suggesting a string beginning "Today..." (or maybe "Thank-you" in transliterated Hebrew).
The reason the shell startup files are relevant at all, is that sshd employs the user's shell when starting any programs on the user's behalf (using e.g. /bin/sh -c "command"). This is a Unix tradition, and has advantages:
The user's usual setup (command aliases, environment variables, umask, etc.) are in effect when remote commands are run.
The common practice of setting an account's shell to /bin/false to disable it will prevent the owner from running any commands, should authentication still accidentally succeed for some reason.
There has been a lot of argument about whether this is the right behavior, since having sshd instead exec sftp-server directly, without the shell, would avoid this frequent problem. I personally feel that using the shell is the right thing to do: having startup files that emit text messages when there is no user to read them is just a mistake. SSH2 has a Boolean configuration statement AllowCshrcSourcingWithSubsystems, set false by default, which causes sshd2 to pass the -f flag to the shell when running subsystem programs (sftp-server is run as an SSH-2 "subsystem"). With most shells, -f causes the shell to omit the normal startup file processing. This prevents the corruption problem, but introduces other difficulties. With file transfers, the umask setting is important, and people are confused when they find that the umask they set in their ~/.login file works with random remote commands (e.g. ssh server touch foo), but is mysteriously ignored when using scp2/sftp.本文出自 “枪炮与玫瑰的BLOG” 博客,请务必保留此出处http://axlrose.blog.51cto.com/434566/1292906
Received message too long (or "Bad packet length") 1416586337
and the connection fails. What's wrong?
sftp and scp2 both actually work by running ssh in a subprocess, to connect to the remote host and run the file-transfer server (usually named sftp-server). For instance, the command sftp server might result in the following command being run (OpenSSH):
ssh server -s -oForwardX11=no -oForwardAgent=no -oProtocol=2 sftp
scp2/sftp and sftp-server use a special file-transfer protocol, which they speak over this SSH session. The protocol is in fact based on the same packet protocol used by SSH.
In order for this to work, the SSH session must be "clean" — that is, it must have on it only information transmitted by the programs at either end. What often happens, though, is that there are statements in either the system or per-user shell startup files on the server (.bashrc, .profile, /etc/csh.cshrc, .login, etc.) which output text messages on login, intended to be read by humans (like fortune, echo "Hi there!", etc.). Such code should only produce output on interactive logins, when there is a tty attached to standard input. If it does not make this test, it will insert these text messages where they don't belong: in this case, polluting the protocol stream between scp2/sftp and sftp-server. The first four bytes of the text gets interpreted as a 32-bit packet length, which will usually be a wildly large number, provoking the error message above. Notice that:
1416586337 decimal = 546F6461 hex = "Toda" ASCII
suggesting a string beginning "Today..." (or maybe "Thank-you" in transliterated Hebrew).
The reason the shell startup files are relevant at all, is that sshd employs the user's shell when starting any programs on the user's behalf (using e.g. /bin/sh -c "command"). This is a Unix tradition, and has advantages:
The user's usual setup (command aliases, environment variables, umask, etc.) are in effect when remote commands are run.
The common practice of setting an account's shell to /bin/false to disable it will prevent the owner from running any commands, should authentication still accidentally succeed for some reason.
There has been a lot of argument about whether this is the right behavior, since having sshd instead exec sftp-server directly, without the shell, would avoid this frequent problem. I personally feel that using the shell is the right thing to do: having startup files that emit text messages when there is no user to read them is just a mistake. SSH2 has a Boolean configuration statement AllowCshrcSourcingWithSubsystems, set false by default, which causes sshd2 to pass the -f flag to the shell when running subsystem programs (sftp-server is run as an SSH-2 "subsystem"). With most shells, -f causes the shell to omit the normal startup file processing. This prevents the corruption problem, but introduces other difficulties. With file transfers, the umask setting is important, and people are confused when they find that the umask they set in their ~/.login file works with random remote commands (e.g. ssh server touch foo), but is mysteriously ignored when using scp2/sftp.本文出自 “枪炮与玫瑰的BLOG” 博客,请务必保留此出处http://axlrose.blog.51cto.com/434566/1292906
相关文章推荐
- 第十五章 提升用户体验 之 设计实现MVC controllers 和 actions
- 加链接太麻烦?使用 linkit 模块提升用户编辑体验
- Android应用开发之提升用户体验1–style和themes
- 提升用户体验的的网站解决方案:门户极端案列之大并发写入案列 (主要是讲缓存案列)
- paip.提升用户体验=----c++ qt 字体切换功能缺少的总结..
- paip.提升用户体验-----c++ 实现360浏览器收藏动作星星动画效果
- 使用渐进式JPEG来提升用户体验
- 提升用户的体验度是做网站的宗旨
- 注册信息验证时的用户体验提升
- javascript之表单验证 完美提升用户体验
- Android:利用selector优化布局,提升用户体验
- paip.提升用户体验----表格显示及控件布局错乱的问题
- 使用渐进式 JPEG 来提升用户体验
- 第十四章 提升用户体验 之 设计实现国际化和本地化
- paip.提升用户体验----记住用户名与自动登录
- paip.提升用户体验---搜索功能设计
- 提升Boolean和out相结合的用户体验
- 使用渐进式JPEG来提升用户体验
- 【转载】使用渐进式JPEG来提升用户体验