From a7fea58535430882ee4fe0011a4073930293dd49 Mon Sep 17 00:00:00 2001 From: x032205 Date: Wed, 13 May 2026 22:45:05 -0400 Subject: [PATCH 1/2] fix: early session cleanup that broke proxies --- packages/gateway-v2/gateway.go | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/packages/gateway-v2/gateway.go b/packages/gateway-v2/gateway.go index 7220cd9b..b061f5f8 100644 --- a/packages/gateway-v2/gateway.go +++ b/packages/gateway-v2/gateway.go @@ -883,17 +883,7 @@ func (g *Gateway) handleIncomingChannel(newChannel ssh.NewChannel) { } } sessionCancel() - // RDP reconnects via a stable .rdp file within the session's validity - // window; terminating on disconnect would break that. Idle reaper / - // expiry / explicit cancel still end the session normally. - isRDP := forwardConfig.PAMConfig.ResourceType == session.ResourceTypeWindows - if lastConn := g.DeregisterPAMSession(forwardConfig.PAMConfig.SessionId, tlsConn); lastConn && !isRDP { - if err := forwardConfig.PAMConfig.SessionUploader.CleanupPAMSession( - forwardConfig.PAMConfig.SessionId, "connection_closed", - ); err != nil { - log.Error().Err(err).Str("sessionId", forwardConfig.PAMConfig.SessionId).Msg("Failed to cleanup PAM session") - } - } + g.DeregisterPAMSession(forwardConfig.PAMConfig.SessionId, tlsConn) return } else if forwardConfig.Mode == ForwardModePAMCancellation { if err := pam.HandlePAMCancellation(g.ctx, tlsConn, &forwardConfig.PAMConfig, g.httpClient, g.CancelPAMSession); err != nil { From 0bd205608213487841adda453a45a755000f86c6 Mon Sep 17 00:00:00 2001 From: x032205 Date: Wed, 13 May 2026 22:49:04 -0400 Subject: [PATCH 2/2] move cleanup to defer --- packages/gateway-v2/gateway.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/packages/gateway-v2/gateway.go b/packages/gateway-v2/gateway.go index b061f5f8..0a421769 100644 --- a/packages/gateway-v2/gateway.go +++ b/packages/gateway-v2/gateway.go @@ -874,6 +874,10 @@ func (g *Gateway) handleIncomingChannel(newChannel ssh.NewChannel) { } sessionCtx, sessionCancel := context.WithCancel(g.ctx) touchSession := g.RegisterPAMSession(forwardConfig.PAMConfig.SessionId, sessionCancel, tlsConn) + defer func() { + sessionCancel() + g.DeregisterPAMSession(forwardConfig.PAMConfig.SessionId, tlsConn) + }() forwardConfig.PAMConfig.OnActivity = touchSession if err := pam.HandlePAMProxy(sessionCtx, tlsConn, &forwardConfig.PAMConfig, g.httpClient); err != nil { if err.Error() == "unexpected EOF" { @@ -882,8 +886,6 @@ func (g *Gateway) handleIncomingChannel(newChannel ssh.NewChannel) { log.Error().Err(err).Msg("PAM proxy handler ended with error") } } - sessionCancel() - g.DeregisterPAMSession(forwardConfig.PAMConfig.SessionId, tlsConn) return } else if forwardConfig.Mode == ForwardModePAMCancellation { if err := pam.HandlePAMCancellation(g.ctx, tlsConn, &forwardConfig.PAMConfig, g.httpClient, g.CancelPAMSession); err != nil {