10.07.2010

SSH Client Keep Alives

At my new office in the Shell Building the main router is a SonicWall which has a setting to drop idle TCP connections after 15 minutes. This is annoying since I usually have several going at once. I don't have access to the router so I had to work around the issue.

The poor man's solution is to run the "top" command on your idle terminals so that packets come through. Not elegant and too manual for me.

The rich man's solution is to change the server's keep alive settings (TCPKeepAlive yes). I call this the rich man's solution because it means every one bends over for you.

The middle class man's solution is to add some directives to the default SSH client options on your local machine. Here's how:

Edit ( as root) /etc/ssh/ssh_config and add the following lines:

TCPKeepAlive yes
ServerAliveInterval  60
ServerAliveCountMax 5


This means that every 60 seconds your machine will send a keep alive to the server if there is no other activity. If the physical connection gets dropped then every 60 seconds the keep alive will be sent until it's done that 5 times, finally giving up (in 5 minutes).

From the man page:

TCPKeepAlive
Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, this means that connections will die if the route is down temporarily, and some people find it annoying. The default is ``yes'' (to send TCP keepalive messages), and the client will notice if the network goes down or the remote host dies. This is important in scripts, and many users want it too. To disable TCP keepalive messages, the value should be set to ``no''.
ServerAliveCountMax
Sets the number of server alive messages (see below) which may be sent without ssh(1) receiving any messages back from the server. If this threshold is reached while server alive messages are being sent, ssh will disconnect from the server, terminating the session. It is important to note that the use of server alive messages is very different from TCPKeepAlive (below). The server alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The server alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive. The default value is 3. If, for example, ServerAliveInterval (see below) is set to 15 and ServerAliveCountMax is left at the default, if the server becomes unresponsive, ssh will disconnect after approximately 45 seconds. This option applies to protocol version 2 only.
ServerAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the server, ssh(1) will send a message through the encrypted channel to request a response from the server. The default is 0, indicating that these messages will not be sent to the server. This option applies to protocol version 2 only.

No comments: