|
Steve Kehlet's Pages
Copyright (c) 2003-2014 Steven Kehlet |
Keeping Your SSH Sessions Alive Through Pesky NAT Firewalls
Fri Jun 3rd 2005, 1:12pm
NAT firewalls like to time out idle sessions to keep their state tables clean and their
memory footprint low. Some firewalls are nice, and let you idle for up to a day or so;
some are gestapo and terminate your session after 5 minutes. I finally got tired of my
ssh sessions getting disconnected at places where I don't control the firewalls, and
figured out how to stop it. Turn out ssh has a nice inband keepalive mechanism, and even
lets you set it on a per-destination basis. Just create a ~/.ssh/config file with
something like the following (* will match any host, if you wanted you could restrict this
to particular destinations like *kehlet.cx):
Host *
ServerAliveInterval 240
That's how often, in seconds, ssh will send a keepalive request (at the application layer)
to the other end if the connection's been otherwise idle. 4 minutes should be good :-).
The Host line lets you pattern match your destinations. Minimal effort, no impact to your
system (say, as you would have if you mucked with your system's default TCP keepalive
settings), and it works like a charm.
Visitor comments
On Mon Jul 11th 2005, 12:57am, Rajesh Pandey posted:
Can I know more about this.
I want to keep my session alive to log in the hrs on an education portal. What should I actually do as I am a starter. Thanks. Rajesh Pandey
On Mon Jul 11th 2005, 5:47pm, Steve Kehlet posted:
These instructions are for Unix systems and OpenSSH. Just create the
directory ".ssh" in your home directory, if it doesn't already
exist, and create a file inside called "config" with the
following two lines:
Host * ServerAliveInterval 240 (Be sure to indent that second line with at least one space). This should help if your session is getting timed out by a firewall. Beyond this I would refer you to the OpenSSH documentation at www.openssh.org.
On Wed Sep 7th 2005, 11:22pm, Joel posted:
It should be mentioned that the user and group owners of the ~/.ssh/config
file should be the same as ~/.ssh/known_hosts
Also, does anybody know if this option can be added to any of the files in /etc/ssh/ to make it system wide?
On Thu Sep 8th 2005, 11:51am, Steve Kehlet posted:
Hi Joel. Sure, you can put ServerAliveInterval in the system-wide config
file, a user config file, or on the ssh command line (with -o). See
http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config
On Fri Feb 10th 2006, 6:26pm, Ryan posted:
I did what mentioned above, but got an error when i use ssh:
/home/some_user/.ssh/config: line 2: Bad configuration option: ServerAliveInterval /home/some_user/.ssh/config: line 3: Bad configuration option: ServerAliveCountMax /home/some_user/.ssh/config: terminating, 2 bad configuration options
On Fri Feb 10th 2006, 8:32pm, Steve Kehlet posted:
Ryan, the version of ssh you have installed is probably too old to support
this feature. If you can, try upgrading.
On Mon Dec 10th 2007, 4:26pm, Raffaella posted:
Pardon my ignorance but where exactly should I create the .ssh/config file
(with the lines "Host *" and "ServerAliveInterval
240")? On the local computer (a MacBookPro) that I use to connect to
the remote host (a linux machine) or on the remote host?
Thanks :)
On Mon Dec 10th 2007, 5:29pm, Steve Kehlet posted:
Raffaella, put the config file underneath the directory ".ssh"
(which may or may not already exist), underneath your home directory. If
.ssh doesn't already exist you'll need to create it in a Terminal window
("mkdir .ssh").
On Sat Nov 29th 2008, 7:13am, Visitor posted:
What didn't you understand about his fucking question???!!! REMOTE or
LOCAL?
On Sat Nov 29th 2008, 4:24pm, Steve Kehlet posted:
On the local computer. Hope this clears up any confusion.
On Mon Jan 19th 2009, 5:14pm, Roger posted:
Thanks for posting this Steve. And I must say that you have an
unbelievable level of cool to actually respond to that last jerk (and
politely too!).
On Wed Aug 12th 2009, 9:51am, Who posted:
LOL @ VISITOR
On Tue Sep 8th 2009, 11:50pm, 0xdeadbeef posted:
If you happen to be using the PuTTY SSH client on a M$ Windows system,
there is a "Seconds between keepalives" option (disabled by
default) in the "Connection" configuration node.
On Mon Oct 26th 2009, 2:56pm, Visitor posted:
If you're using SecureCRT, you can edit the Global Options (Edit Default
Settings button). The "Terminal" tab has an anti-idle section. I
set mine to "Send protocol NO-OP" every 60 seconds.
On Wed Mar 10th 2010, 12:25pm, Adam Monsen posted:
Very helpful. Thank you!
On Sat Oct 9th 2010, 10:09am, Visitor posted:
I have the following in ~/.ssh/config
Host * ServerAliveInterval 14400 I did ssh to a remote host, left the terminal idle, and found it frozen when I came back after about 30min. What else could be wrong?
On Mon Oct 11th 2010, 11:20am, Steve Kehlet posted:
Visitor, I'd suggest trying a smaller value than 14400, maybe 60 or so. If
you wanted you could then try increasing that number and testing with
increasingly longer idle times to see where the cutoff is. Personally, in
this day and age, I don't care much about junk traffic on the wires so
60sec isn't bad.
On Mon Oct 18th 2010, 3:24am, Colin 't Hart posted:
14400 = 4 hours, so it's not surprising that your session has timed-out
after 30 minutes :-)
Set ServerAliveInterval to 60 as Steve suggested.
On Mon Jan 10th 2011, 8:22am, Visitor posted:
Thank you for this post!
On Sat Apr 30th 2011, 5:24pm, theodore posted:
Thanks, this is this most straightforward (and complete) explanation I've
been able to find.
On Thu Jul 7th 2011, 9:58am, Simone posted:
six years old and still useful. Thank you for this post Steve
On Tue Jul 12th 2011, 11:12am, Melli posted:
Finally a solution to the problem that's been driving me nuts since I got a
new modem. Thanks Steve!
On Tue Jul 12th 2011, 5:07pm, Steve Kehlet posted:
Thanks everyone, glad you found this useful.
On Tue Sep 6th 2011, 11:37am, Arda Gozubuyukoglu posted:
If you are using OpenSSH there is an option called
"ClientAliveInterval" and its working quite good
just change it From: #ClientAliveInterval 0 To: ClientAliveInterval 30 Regards, Arda
On Tue Sep 6th 2011, 11:38am, Arda Gozubuyukoglu posted:
Sorry, I forgot to tell , it is in the global configuration of ssh
(sshd_config) under etc/sshd
On Wed Feb 8th 2012, 12:09pm, Visitor posted:
thanks for the help this is perfect...this was driving me crazy
On Wed Feb 8th 2012, 12:11pm, Visitor posted:
Oh and by the way, ClientAliveInterval and ServerAliveInterval are
completely different. ServerAliveInterval maintains a persistant
connection (for x seconds) to an out side machine. ClientAliveInterval
allows inbound machines to maintain a persistent connection. There are
different security implications for each.
On Wed Aug 22nd 2012, 6:39pm, Visitor posted:
ClientAliveInterval:
An SSH server (sshd) configuration option that tells the server to send a request to the client at the given interval asking the client for a response to verify an active connection ServerAliveInterval: An SSH client (ssh) configuration option that tells the client software to send a request to the server at the given interval to verify an active connection
On Sat Dec 21st 2013, 6:50pm, jwbeauch posted:
I'm working at home on a Macintosh using Terminal and connecting to a
remote Linux machine. I would like to keep ssh going without activity for
at least an hour. I frequently do a little work, then go eat or take a
shower (or both), and I want to come back before my Terminal times out. (I
haven't been sure whether it's the local or the remote machine causing the
problem.) My default cutoff time seems to be about 20 minutes, but I've
never measured it, so restricting it to 4 minutes using the suggestion
given in this forum won't help. Is there a better solution? Right now I'm
trying
Host * ServerAliveInterval 3600 in ~/.ssh/config to see if that helps. It should give 1 hour before cutoff. Thanks, Jim
On Mon Dec 23rd 2013, 9:58pm, Steve Kehlet posted:
@jwbeauch: I would try a much lower value, like 60:
Host * ServerAliveInterval 60 Hopefully 60 seconds is low enough to keep the connection alive. Good luck! |