[Gllug] ssh timeout
Nix
nix at esperi.org.uk
Wed Feb 9 11:41:23 UTC 2005
On Tue, 08 Feb 2005, Martin A. Brooks moaned:
> Andy McGarty wrote:
>
>> There is an sshd_config setting:
>> #KeepAlive yes
>
> I seem to recall this option doesn't quite do what you'd think. IIRC, this actually deals with killing off dead half open TCP
> connections that would otherwise build up and possibly prevent ssh connections from being established.
SSH keepalives are confusing. There are several different ssh keepalive
options, controlling two different kinds of keepalive, and one of the
options has been renamed as well.
TCPKeepAlive (which, pre-OpenSSH-3.8, was called KeepAlive),
which flips on the SO_KEEPALIVE socket option
Application-layer keepalives (i.e., OpenSSH sends an IGNORE to the other
end and waits for its response), controlled through
ServerAliveInterval/ServerAliveCountMax (for the client to use to decide
if a server is dead) and ClientAliveInterval/ClientAliveCountMax (for
the server to decide if the client is dead).
ServerAliveInterval/ServerAliveCountMax are new in OpenSSH-3.8; the
corresponding client options are old.
Either of these should suffice to prevent NAT sessions from
timing out; to force timeouts higher, echo a value in seconds
into /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established.
For me, it's 432800 seconds, or five days, which is more than long
enough.
Killing off things that are only thirty minutes old doesn't sound like a
Linux firewall unless someone's reconfigured it --- but I've seen
Windows NAT gateways that do that, and explicitly filter out TCP
keepalives, too. Even they are forced into compliance by
application-level keepalives, though.
(Obvious but necessary downside: if you send keepalives too often, and
you lose network connectivity, you'd better get it back quick or you
lose your SSH sessions...)
--
Synapsids unite! You have nothing to lose but your eggshells!
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list