Connect to existing SFTP server instead of starting new SFTP subprocess

Question

I'm thinking about writing a new SFTP server. The current SFTP servers are started for every session. If there are three users of SFTP, there are three SFTP servers. That's not what I want. I want one server where every new SFTP session is connected to. How to do this?

When you login the server to start an SFTP session, an SSH process is started and am SFTP subsystem is started as well. The SSH process takes care of the encryption etc. The io is done through the standard ports 0, 1 and 2 (stdin, stdout and stderr) of the SFTP process.

This all works when for every session there is a dedicated SFTP process. But how can I make it to work when there is one SFTP server I want to connect to. Via a "ssh-to-sftp-connect-agent"?

More information:

I want to use sftp version 6, which is better than version 3, which is used by openssh. The openssh community does not want to upgrade their sftp implementations:

https://bugzilla.mindrot.org/show_bug.cgi?id=1953

A very good open source sftp server is at:

http://www.greenend.org.uk/rjk/sftpserver/

and very usefull overview:

http://www.greenend.org.uk/rjk/sftp/sftpversions.html

This server us using sftp protocol version 6, but has (b)locking and handling of acl's not implemented. To implement these shared tables are necessary for all open files with their access flags and blocking mode by who for (b)locking to work. When every sftp session leads to another process with:

Subsystem       sftp    /usr/libexec/gesftpserver

(which is inevitable when you want to use any protocol higher than 3) then a shared database is a sollution to handle locks and acl's. Another sollution is that every new sftp session connects to one existing "super" sftp server, which is started at boot time. Simultaneous access, locking etc. is much easier to program.

Howto do this with this line:

Subsystem       sftp    /usr/libexec/exampleconnectagent

In the ideal case the agent enables the connection between the dedicated ssh process for the connection and the sftp-server, and terminates. Long story, is this possible? Do I have to use the passing of fd's described here:

Can I share a file descriptor to another process on linux or are they local to the process?

Thanks in advance.

addition: I'm working on a sftp file server listning to a server socket. clients can connect using the direct-streamlocal functionality to connect a channel to it in openssh. THis way I can have one server process for all clients and this is what I wanted in the first place.

Answer 1

The current SFTP servers are started for every session.

What do you mean by "current SFTP servers"? Which one specifically?

The OpenSSH (as the most widely used SSH/SFTP server), did indeed open a new subprocess for each SFTP session. And there's hardly any problem with that. Though the recent versions don't, anymore. With the (new) default configuration, an in-process SFTP server (aka internal-sftp) is used.

See OpenSSH: Difference between internal-sftp and sftp-server.

---

If you really want to get an answer to your question, you have to tell us, what SFTP/SSH server your question is about.

If it is indeed about OpenSSH:

• Nothing needs to be done, the functionality is there already.
• If you want to add your own implementation, you have to modify OpenSSH code, there's no way to plug it in. Just check how the internal-sftp is implemented.
• The other way is using the agent architecture, as you have suggested yourself. If you want to take this approach and need some help, you should ask more specific question about inter-process communication and/or sharing file descriptors, and not about SFTP.