Idle SSH session disconnects (update)

Frank Cusack fcusack at fcusack.com
Sat Aug 31 19:40:46 EST 2002


On Fri, Aug 30, 2002 at 09:48:11PM -0700, Jim Cunning wrote:
> On Fri, 30 Aug 2002, Frank Cusack wrote:
> 
> > On Fri, Aug 30, 2002 at 07:06:07PM -0600, Bob Proulx wrote:
> > > Jim Cunning <jcunning at cts.com> [2002-08-30 14:26:47 -0700]:
> > > > I will try setting KeepAlive to no.
> > >
> > > Many people have joked over the years that KEEPALIVE should really be
> > > called MAKEDEAD instead because that is the function.
> >
> > Unless you are passing through a stateful firewall, which must keep
> > a session timer.
> 
> I tried setting the KeepAlive parameter to no in /etc/sshd_config, then
> restarting sshd.  I then opened an SSH session and left it idle.  Almost
> exactly two hours later I noticed that it was disconnected with a comment
> something like "read failed" and "connection reset by peer" -- I'm no
> longer at my work computer, so I'm writing from memory.

So you *are* passing through a stateful firewall and the system keepalive
(2 hours by default on most systems, per RFC recommendation) kills
the connection.  It's more likely that the session is killed at 20 minutes
of idle time (typical default session timer on firewalls) but you don't
notice it until 1:40 later when your machine does a keepalive probe.

> So, turning off KEEPALIVE (or MAKEDEAD) seemed to have no effect.

Both client and server need to disable keepalives; if one of them has it
on it is effectively on.  This is documented in the man page.

I'm surprised this isn't an FAQ or common enough that a Google search
would turn something up.

You need to

- enable keepalives
- set the timer to be faster than the firewall session timer.

For ssh2, you can choose the time in sshd_config by setting the
ClientAlive* options.  For ssh1, you need to tweak the system timers
on either the server or client system; this is of course system-dependent.

You could also bump the session timer on the firewall to > 2 hours, but
this is likely to be a bad idea as stale sessions will leave state on
the firewall for a "long" time.

/fc



More information about the openssh-unix-dev mailing list