Enabling ServerAliveInterval by default

William Ahern william at 25thandClement.com
Mon Dec 17 11:15:06 EST 2007


On Mon, Dec 17, 2007 at 10:30:23AM +1100, Philip wrote:
> On Monday 17 December 2007 05:56:25 Nadav Har'El wrote:
> > I'm having a very hard time believing that I have been the only person who
> > in the course of the last few years found it harder and harder to keep
> > non-LAN ssh connections active without being disconnected after a few
> > minutes of inactivity. I've seen this problem on several combinations of
> > client and server networks.
> 
> +1 here - it also took me a long while to figure out what was going on when I 
> had this problem. I wish it had been a default years ago.
> 
> It's easy enough to change the defaults on machines under your own control, 
> but the biggest problem I had was convincing the administrators of remote 
> systems I had to use to change their sshd_config. They are far more 

I would hope that you also made a pass at trying to convince them not to use
stateful firewalls (or firewalls, period) in situations where they're
entirely superfluous--which encompasses the vast majority of current usages.
(NAT is another issue; equally abhorrent, its not useful to complain without
available alternatives--IPv6.)

I too have watched this problem rise over the years, and it ebbs and flows
with the laziness and inexperience of administrators. I've seen servers
hacked into countless times, and if there's any correlation with firewalls I
would say that those who use firewalls are more likely to get hacked
(especially those who aren't programmers, or socket programmers, because
they mistrust or just don't plain understand the address and port system,
which of course leads to many other mistakes; in this case ignorance is
particularly dangerous, because a firewall just adds more lines of code
along the network path.)

Anyhow, that's my rant. I tried to stay out of it. Reasonable people can
disagree regarding the setting. But whenever you find a network path with
the problem, and you actually bother communicating with another admin, I
would hope we can all agree we have a duty (and/or just plain self-interest)
to try to inject some sanity into this horrible state of affairs. Likely
you'll be ignored, but there have been successes, and in any event its
worthwhile to raise awareness.

Its worthwhile to point that, thankfully, intermediate ISPs aren't causing
this problem. Its either you or your remote peer; so if your pleadings fall
on deaf ears on this forum that's your explanation.



More information about the openssh-unix-dev mailing list