The SSH connection can be kept alive either with SSH keepalive packets (encrypted) or with TCP keepalive packets. This allows also to detect hanging sessions and disconnect the hanging client/server when a connection has become inactive.
On a open SSH server, to control the SSH keepalive packets the parameters are:
ClientAliveCountMax 3 (default)
ClientAliveInterval 0 (default) - means the SSH keepalive packets will not be sent by the server
From the sshd_config manual page:
ClientAliveCountMax
Sets the number of client alive messages (see below) which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session.
ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client.
On a open SSH client, to control the SSH keepalive packets the parameters are
ServerAliveCountMax 3 (default)
ServerAliveInterval 0 (default) - means the SSH keepalive packets will not be sent by the client
From the ssh_config manual page:
ServerAliveCountMax
Sets the number of server alive messages (see below) which may be sent without ssh(1) receiving any messages back from the server. If this threshold is reached while server alive messages are being sent, ssh will disconnect from the server, terminating the session.
ServerAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the server, ssh(1) will send a message through the encrypted channel to request a response from the server.
The TCP Keepalives are enabled by default on both the server and client. Enabling or disabling TCP Keepalives is controlled by TCPKeepAlive switch - can have the value "yes" (default) or "no" (disables sending of TCP keepalives)
From the man pages of ssh_config or sshd_config:
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed.
Both the openssh client and server use the kernel's TCPkeealive (available since 2.2 kernels) parameters that are controllable via sysctl:
net.ipv4.tcp_keepalive_time = 7200 (in seconds)
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_keepalive_intvl = 7
From the kernel sysctl-ip documentation:
tcp_keepalive_time - INTEGER
How often TCP sends out keepalive messages when keepalive is enabled.
Default: 2hours.
tcp_keepalive_probes - INTEGER
How many keepalive probes TCP sends out, until it decides that the connection is broken. Default value: 9.
tcp_keepalive_intvl - INTEGER
How frequently the probes are send out. Multiplied by tcp_keepalive_probes it is time to kill not responding connection, after probes started. Default value: 75sec i.e. connection will be aborted after ~11 minutes of retries.
To change any of the parameters (eg. tcp_keepalive_time) you can use:
To make the change permanent edit /etc/sysctl.conf and add the entry:
net.ipv4.tcp_keepalive_time=100
Then, for the change to take effect force sysctl to reread the settings in /etc/sysctl.conf, run as root:
On a open SSH server, to control the SSH keepalive packets the parameters are:
ClientAliveCountMax 3 (default)
ClientAliveInterval 0 (default) - means the SSH keepalive packets will not be sent by the server
From the sshd_config manual page:
ClientAliveCountMax
Sets the number of client alive messages (see below) which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session.
ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client.
On a open SSH client, to control the SSH keepalive packets the parameters are
ServerAliveCountMax 3 (default)
ServerAliveInterval 0 (default) - means the SSH keepalive packets will not be sent by the client
From the ssh_config manual page:
ServerAliveCountMax
Sets the number of server alive messages (see below) which may be sent without ssh(1) receiving any messages back from the server. If this threshold is reached while server alive messages are being sent, ssh will disconnect from the server, terminating the session.
ServerAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the server, ssh(1) will send a message through the encrypted channel to request a response from the server.
The TCP Keepalives are enabled by default on both the server and client. Enabling or disabling TCP Keepalives is controlled by TCPKeepAlive switch - can have the value "yes" (default) or "no" (disables sending of TCP keepalives)
From the man pages of ssh_config or sshd_config:
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed.
Both the openssh client and server use the kernel's TCPkeealive (available since 2.2 kernels) parameters that are controllable via sysctl:
net.ipv4.tcp_keepalive_time = 7200 (in seconds)
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_keepalive_intvl = 7
From the kernel sysctl-ip documentation:
tcp_keepalive_time - INTEGER
How often TCP sends out keepalive messages when keepalive is enabled.
Default: 2hours.
tcp_keepalive_probes - INTEGER
How many keepalive probes TCP sends out, until it decides that the connection is broken. Default value: 9.
tcp_keepalive_intvl - INTEGER
How frequently the probes are send out. Multiplied by tcp_keepalive_probes it is time to kill not responding connection, after probes started. Default value: 75sec i.e. connection will be aborted after ~11 minutes of retries.
To change any of the parameters (eg. tcp_keepalive_time) you can use:
sysctl -w net.ipv4.tcp_keepalive_time=100To make the change permanent edit /etc/sysctl.conf and add the entry:
net.ipv4.tcp_keepalive_time=100
Then, for the change to take effect force sysctl to reread the settings in /etc/sysctl.conf, run as root:
sysctl -p
No comments:
Post a Comment