Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Sat Aug 19, 2017 2:44 am


System administration, processes administration, jobs, cron, resources, limits, shells, ssh, telnet.

Author Message
mandrei99
Post  Post subject: How to prevent Linux SSH client from disconnecting using ServerAliveInterval  |  Posted: Fri Jan 09, 2015 8:26 pm

Joined: Tue Aug 04, 2009 9:16 am
Posts: 245

Offline
 

How to prevent Linux SSH client from disconnecting using ServerAliveInterval

How to prevent Linux SSH client from disconnecting using ServerAliveInterval
Usually when I work on a remote server, I like having multiple ssh sessions to that remote server for mult-itasking. But sometimes the server, due to network issues or server keepalives not reaching the client and terminating the ssh session, so it becomes unresponsive to the ssh client. It is especially irritating when you need to re-initialize all ssh sessions to that specific server.

I compiled some information on how to use keepalives on ssh client side to either detect server becoming unresponsive that leads to freezing ssh sessions or to prevent either of the ends from distroying an idle ssh session.

Prevent SSH Disconnect globally by using ServerAliveInterval in SSH configuration files


First method to use ssh keepalives (ServerAliveInterval) is to use the global configuration file /etc/ssh/ssh_config or /usr/local/etc/ssh/ssh_config by uncommenting/adding the option:
Code:
...
ServerAliveInterval 30
...

30 being the number of seconds at which probes have to be sent.

Prevent SSH Disconnect by using ServerAliveInterval in ~/.ssh/config file


The second method to use ssh keepalive is in the user's ssh client configuration file ~/.ssh/config. This method is good when you don't have permissions to change the global ssh configuration file:
Code:
Host *
  ServerAliveInterval 30

This sets the keepalive interval to 30 seconds for all hosts. Of course, it can be used also on per-host basis.

Prevent SSH Disconnect by using ServerAliveInterval option in SSH cli command


The third method to use ssh keepalive is by supplying the option to ssh command line:
Code:
$ ssh -o ServerAliveInterval=10 user@remote-ssh-server-ip


More information about ssh ServerAliveInterval option


This directive instructs the ssh client to use the ssh encrypted channel for sending the probes. It means that the client sends an encrypted message to the server, the server replies and then the client acknowledges. These messages are encrypted using parameters negotiated at the establishment of the ssh session.

ServerAliveInterval works in tandem with ServerAliveCountMax (default 3). The client will send probes to the server every "ServerAliveInterval" seconds. If the "ServerAliveCountMax"rd probe does not receive a response from the ssh server, the client will disconnect. As mentioned, this has the purpose of both preventing the ssh session from becoming idle and to be terminated by client/server or some firewall in between and detecting an unresponsive server sooner and preventing the ssh session to freeze.
Both ssh options are described in "man ssh_config". Quote:
Quote:
ServerAliveCountMax
Sets the number of server alive messages (see below) which may be sent without ssh(1) receiving any messages back from the server. If this threshold
is reached while server alive messages are being sent, ssh will disconnect from the server, terminating the session. It is important to note that the
use of server alive messages is very different from TCPKeepAlive (below). The server alive messages are sent through the encrypted channel and there‐
fore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The server alive mechanism is valuable when the client or
server depend on knowing when a connection has become inactive.


ServerAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the server, ssh(1) will send a message through the encrypted channel
to request a response from the server. The default is 0, indicating that these messages will not be sent to the server, or 300 if the BatchMode
option is set. This option applies to protocol version 2 only. ProtocolKeepAlives and SetupTimeOut are Debian-specific compatibility aliases for
this option.

TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
to the other side. If they are sent, death of the connection or
crash of one of the machines will be properly noticed. However,
this means that connections will die if the route is down tempo-
rarily, and some people find it annoying.

The default is ``yes'' (to send TCP keepalive messages), and the
client will notice if the network goes down or the remote host
dies. This is important in scripts, and many users want it too.

To disable TCP keepalive messages, the value should be set to
``no''.


Bottom line is that with a ServerAliveInterval of 30 and default ServerAliveCountMax, it means that after 90 seconds of server being unresponsive, the client will terminate the ssh session instead of freezing it until tcp keepalives kick in.

What is the difference between ssh keepalives and tcp keepalives?


As stated above, ssh server alive interval allows the ssh client to use the ssh encrypted channel to send probes and receive the response from the server.
Tcp Keepalive is TCP mechanism of sending keepalives once the kernel detects the tcp session (ssh runs over tcp) after configurable amount of seconds. It is a lower level mechanism. The downside is that tcp keepalive, by default, kicks in after high amount of seconds. Linux defines this under "tcp_keepalive_time" and FreeBSD under "net.inet.tcp.keepidle" kernel parameters.

Another disatvantage of the tcp keepalive mechanism in kernel is that the messages can be spoofed by an attacker and could prevent the parties from terminating a faulty ssh session.

Below is tcp keepalive for an idle ssh session under FreeBSD where "net.inet.tcp.keepidle: 600000" = 600 seconds.
Code:
...
00:40:41.130022 IP 10.1.1.1.22 > 192.168.1.4.39507: Flags [P.], seq 3298:3362, ack 4088, win 49, options [nop,nop,TS val 557287680 ecr 2501000757], length 64
00:40:41.229270 IP 192.168.1.4.39507 > 10.1.1.1.22: Flags [.], ack 3362, win 4107, options [nop,nop,TS val 2501001352 ecr 557287680], length 0
00:50:41.129352 IP 192.168.1.4.39507 > 10.1.1.1.22: Flags [.], ack 3362, win 4107, length 0
00:50:41.184584 IP 10.1.1.1.22 > 192.168.1.4.39507: Flags [.], ack 4088, win 49, options [nop,nop,TS val 557437692 ecr 2501001352], length 0

The above output shows the last data packets terminating at 00:40:41 timestamp. After 10 minutes the client's tcp keepalive mechanism in FreeBSD kernel kicks in.


Now for an SSH serveralive output:
Code:
# ssh -o TCPKeepAlive=yes -o ServerAliveInterval=15 10.1.1.1

Code:
...
01:22:19.965455 IP 10.1.1.1.22 > 192.168.1.4.30178: Flags [P.], seq 3298:3362, ack 4088, win 49, options [nop,nop,TS val 557912384 ecr 2503499100], length 64
01:22:20.065124 IP 192.168.1.4.30178 > 10.1.1.1.22: Flags [.], ack 3362, win 4107, options [nop,nop,TS val 2503500188 ecr 557912384], length 0
01:22:35.211919 IP 192.168.1.4.30178 > 10.1.1.1.22: Flags [P.], seq 4088:4152, ack 3362, win 4107, options [nop,nop,TS val 2503515334 ecr 557912384], length 64
01:22:35.267361 IP 10.1.1.1.22 > 192.168.1.4.30178: Flags [P.], seq 3362:3394, ack 4152, win 49, options [nop,nop,TS val 557916210 ecr 2503515334], length 32
01:22:35.367115 IP 192.168.1.4.30178 > 10.1.1.1.22: Flags [.], ack 3394, win 4107, options [nop,nop,TS val 2503515490 ecr 557916210], length 0

01:22:20 is the timestamp of last data packet. 15 seconds later, three more messages are exchanged: 1. is the ssh encrypted probe from ssh client to server. 2 is the response from ssh server to client. 3 is the tcp ACK send by the client (TCP requires every segment to be acknowledged). This 3rd message is sent by client's kernel.





Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "How to prevent Linux SSH client from disconnecting using ServerAliveInterval"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. How to list PCI devices in Linux - lspci

mandrei99

0

1268

Mon Jul 22, 2013 10:03 am

mandrei99 View the latest post

There are no new unread posts for this topic. Linux clear screen / terminal

mandrei99

2

4575

Wed Mar 04, 2015 8:52 am

Guest View the latest post

There are no new unread posts for this topic. Linux: List kernel supported filesystems

debuser

0

434

Tue Mar 10, 2015 5:45 pm

debuser View the latest post

There are no new unread posts for this topic. Linux: list block devices UUID

debuser

0

783

Tue Mar 10, 2015 5:46 pm

debuser View the latest post

There are no new unread posts for this topic. Change default editor to VI in Debian Linux

mandrei99

0

632

Fri Jan 16, 2015 6:59 pm

mandrei99 View the latest post

There are no new unread posts for this topic. How to print filesystem super block information in Linux

mandrei99

0

6905

Mon Jul 08, 2013 6:56 am

mandrei99 View the latest post

There are no new unread posts for this topic. How to list the largest files in a directory in Linux/FreeBSD

mandrei99

0

536

Thu Jan 22, 2015 5:14 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Checking Linux virtual memory page size

mandrei99

0

445

Mon Feb 09, 2015 4:53 pm

mandrei99 View the latest post

There are no new unread posts for this topic. How to check if ssh/http daemon listens on TCP port in Linux using lsof & netstat

mandrei99

0

5676

Mon Oct 17, 2011 9:17 am

mandrei99 View the latest post

There are no new unread posts for this topic. Linux network interface pci slot information - lspci / Intel or Broadcom

mandrei99

0

4131

Fri Jan 16, 2015 7:58 pm

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO