[Bug 2811] New: sshd does not exit after ClientAlive failure if forwarded connections are still connected

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Dec 14 03:06:18 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2811

            Bug ID: 2811
           Summary: sshd does not exit after ClientAlive failure if
                    forwarded connections are still connected
           Product: Portable OpenSSH
           Version: 7.6p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: archie at dellroad.org

The situation:

1. Server is configured with ClientAliveInterval=3 and
ClientAliveCountMax=5
2. Client machine runs "ssh -24xaTnN -i/some/keyfile ...
-oBatchMode=yes -oExitOnForwardFailure=yes -oServerAliveInterval=3
-oServerAliveCountMax=5 -Rxx:localhost:zz user at server". Note the
purpose of this SSH connection is only to setup the reverse tunnel
(there is no pty or interactive session). This ssh process is run as a
background daemon by a separate monitoring script.
3. A TCP connection is established on the reverse-forwarded port xx
from server back to client through the SSH connection, and then is idle
(no traffic).
4. Network connectivity is lost between server and client - suddenly,
no traffic can get through (so no clean shutdown of TCP connection)
5. The ssh client eventually detects the failure and exits, then is
restarted automatically (by a separate monitoring script) and retries
repeatedly.
6. However, the sshd process running on server never exits (THIS IS THE
BUG)
6. Once connectivity is restored, the client's retrying eventually
creates a successfull ssh connection, but it then fails immediately
because the old sshd process is still hanging around listening on
localhost:xx and the new connection has -oExitOnForwardFailure=yes.

So it LOOKS as if the ClientAlive* keep-alive setting on server is not
working at all...

In trying to understand this behavior, I'm guessing what's really
happening is that the ClientAlive* keep-alive setting is actually
working and does detect the lost connection, but the existence of the
established reverse-forwarded TCP connection is preventing sshd from
exiting - just like when you exit an interactive SSH session with a
still-connected forwarded TCP connection and it hangs until that
forwarded TCP session closes.

First of all - is this behavior expected?

If not - consider this a bug report.

If so - consider this a feature request, namely, it would be nice if
there were a way to configure around this.

E.g., add new options ClientKillForwardedConnectionsOnClose and
ServerKillForwardedConnectionsOnClose that mean "if the main SSH
connection dies (or completes normally), forcibly kill any forwarded
connections immediately instead of waiting for them to close.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list