Solved

set OpenSSH timeout for inactive connections

Posted on 2006-07-24
26
885 Views
Last Modified: 2008-01-09
My SSH sessions keep getting disconnected after ~20 minutes of inactivity. My server runs Debian and OpenSSH, and so far I haven't changed any settings or initialization scripts related to ssh. How can I set disallow timeouts due to insufficient use of the connection?

Thanks.
0
Comment
Question by:BerkeleyJeff
  • 9
  • 8
  • 4
  • +2
26 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17165942
in ~/.ssh/config
  KeepAlive no

in /etc/ssh/sshd_config
  KeepAlive no
0
 
LVL 43

Accepted Solution

by:
ravenpl earned 500 total points
ID: 17165951
on server side
/etc/ssh/sshd_config

     ClientAliveInterval
             Sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through
             the encrypted channel to request a response from the client.  The default is 0, indicating that these messages will not be sent
             to the client.  This option applies to protocol version 2 only.

on client side
/etc/ssh/ssh_config or ~/.ssh/config
     ServerAliveInterval
             Sets a timeout interval in seconds after which if no data has been received from the server, ssh will send a message through
             the encrypted channel to request a response from the server.  The default is 0, indicating that these messages will not be sent
             to the server.  This option applies to protocol version 2 only.
0
 

Author Comment

by:BerkeleyJeff
ID: 17166012
My sshd_config file doesn't have 'ClientAliveInterval' in it. It does have 'KeepAlive' set to 'Yes', but could that be my problem? The server isn't supposed to disconnect upon the keepAlive, as long as the client is still connected, right? I thought KeepAlive was more to detect dropped connections.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17166632
> It does have 'KeepAlive' set to 'Yes', but could that be my problem?
yes
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17166645
> How can I set disallow timeouts due to insufficient use of the connection?
I understand, that the connection is broken, and the author want it alive. Right?
0
 

Author Comment

by:BerkeleyJeff
ID: 17168698
So I switched KeepAlive from 'Yes' to 'No', but I still get disconnected frequently. Here's a typical error message:

> Read from remote host metaglossary.com: Connection reset by peer
Connection to metaglossary.com closed.


Are there some other settings that might be responsible?
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17168772
Yes - I proposed some in my first comment.
0
 
LVL 11

Expert Comment

by:kblack05
ID: 17169334
You might also be seing a firewall or socket timeout, which will typically ignore keepalive settings.

you can check one of the /proc settings for tcp timeouts with a command like this:

less /proc/sys/net/ipv4/tcp_keepalive_time

it will probably be around 7200 (i.e. 2 hours)
if you like, you can reset the timeout by echoing to /proc/sys/net/ipv4/tcp_keepalive_time

example:
echo -n  43200 > less /proc/sys/net/ipv4/tcp_keepalive_time
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17169797
firewall or kernel problem, as already said
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17169984
Yep, and ClientAliveInterval/ServerAliveInterval should fix it up.
Alternative: run following script while leaving session alone
while true; do echo -n "."; sleep 60; done
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17170271
.. or
  ping -i 42 localhost
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17654698
I guess my comments was on the right track, and are ssh based only.
messing with ernel timeouts would do, if they are done on the firewall - not peer system.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 51

Expert Comment

by:ahoffmann
ID: 17657971
hmm, we could dispute the henn-egg problem which means KeepAlive and ClientAliveInterval/ServerAliveInterval here.
But the problem turns out to be network and not ssh related.
I'd vote for a 3-way split then.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17698009
ahoffmann: how did You get the impression that it's network/firewall problem?
Let me explain:
firewalls may ignore TCP KeepAlive packets, but surealy can't ignore ClientAliveInterval/ServerAliveInterval packets (as it's data based).
any router/firewall on the way may do connection tracking, and therefore messing with TCP stack values on the peer systems will not help.
Also /proc/sys/net/ipv4/tcp_keepalive_time means how often the kernal should send KeepAlive if enabled. Enlarging it shurely will not help!
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17710895
>  ahoffmann: how did You get the impression that it's network/firewall problem?
see http:#17168698

> firewalls may ..
agreed

> any router/firewall on the way may do ..
agreed and confirms my network assumtion
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17713308
The point is that ClientAliveInterval/ServerAliveInterval should help - it uses data channel, thus firewall can't cut it out...
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17713802
> .. thus firewall can't cut it out...
true, the firewall can't cut out the application data, but if the firewall's timeout is less than that configured for ssh it drops the connection before the heart beat is sent.
0
 
LVL 20

Expert Comment

by:Venabili
ID: 17739136
So what we do with the question?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17745059
I'd still vote for a 3-way split. ravenpl, do you agree?
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 17745089
Whatever - I already said what I'm thinking.
0
 

Author Comment

by:BerkeleyJeff
ID: 17745161
Indeed, the value in  /proc/sys/net/ipv4/tcp_keepalive_time is 7200 (i.e. 2 hours). However, the timeout tends to occur after more like 5 minutes.

Secondly, I have ruled in hardware problems, since I have the same problem with two servers, from any clients. All servers and clients run a minimal distribution of debian linux.

Leaving "top" running (or while true; do echo -n "."; sleep 60; done), keeps the connection from closing. I will try modifying ClientAliveInterval/ServerAliveInterval.

Thanks for help.
0
 

Author Comment

by:BerkeleyJeff
ID: 17745255
I think that when I originally posted this, I was also having network problems. No longer. Now changing these alive intervals seems to solve the problem. Thanks, all.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17745269
the author's descission is most likely the best ;-)
Thanks for comming back BerkeleyJeff.
0
 
LVL 20

Expert Comment

by:Venabili
ID: 17745716
Thanks for closing ;)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Network Interface Card (NIC) bonding, also known as link aggregation, NIC teaming and trunking, is an important concept to understand and implement in any environment where high availability is of concern. Using this feature, a server administrator …
Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now