Keeping Your SSH Sessions Alive Through Pesky NAT Firewalls
Fri Jun 3rd 2005, 1:12pm
NAT firewalls like to time out idle sessions to keep their state tables clean and their memory footprint low. Some firewalls are nice, and let you idle for up to a day or so; some are gestapo and terminate your session after 5 minutes. I finally got tired of my ssh sessions getting disconnected at places where I don't control the firewalls, and figured out how to stop it. Turn out ssh has a nice inband keepalive mechanism, and even lets you set it on a per-destination basis. Just create a ~/.ssh/config file with something like the following (* will match any host, if you wanted you could restrict this to particular destinations like *kehlet.cx):
Host *
    ServerAliveInterval 240
That's how often, in seconds, ssh will send a keepalive request (at the application layer) to the other end if the connection's been otherwise idle. 4 minutes should be good :-). The Host line lets you pattern match your destinations. Minimal effort, no impact to your system (say, as you would have if you mucked with your system's default TCP keepalive settings), and it works like a charm.



Visitor comments
On Mon Jul 11th 2005, 12:57am, Rajesh Pandey posted:
Can I know more about this.
I want to keep my session alive to log in the hrs on an education portal.
What should I actually do as I am a starter.
Thanks.
Rajesh Pandey


On Mon Jul 11th 2005, 5:47pm, Steve Kehlet posted:
These instructions are for Unix systems and OpenSSH. Just create the directory ".ssh" in your home directory, if it doesn't already exist, and create a file inside called "config" with the following two lines:

Host *
ServerAliveInterval 240

(Be sure to indent that second line with at least one space). This should help if your session is getting timed out by a firewall.

Beyond this I would refer you to the OpenSSH documentation at www.openssh.org.


On Wed Sep 7th 2005, 11:22pm, Joel posted:
It should be mentioned that the user and group owners of the ~/.ssh/config file should be the same as ~/.ssh/known_hosts

Also, does anybody know if this option can be added to any of the files in /etc/ssh/ to make it system wide?


On Thu Sep 8th 2005, 11:51am, Steve Kehlet posted:
Hi Joel. Sure, you can put ServerAliveInterval in the system-wide config file, a user config file, or on the ssh command line (with -o). See http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config


On Fri Feb 10th 2006, 6:26pm, Ryan posted:
I did what mentioned above, but got an error when i use ssh:
/home/some_user/.ssh/config: line 2: Bad configuration option: ServerAliveInterval
/home/some_user/.ssh/config: line 3: Bad configuration option: ServerAliveCountMax
/home/some_user/.ssh/config: terminating, 2 bad configuration options


On Fri Feb 10th 2006, 8:32pm, Steve Kehlet posted:
Ryan, the version of ssh you have installed is probably too old to support this feature. If you can, try upgrading.


On Mon Dec 10th 2007, 4:26pm, Raffaella posted:
Pardon my ignorance but where exactly should I create the .ssh/config file (with the lines "Host *" and "ServerAliveInterval 240")? On the local computer (a MacBookPro) that I use to connect to the remote host (a linux machine) or on the remote host?
Thanks :)


On Mon Dec 10th 2007, 5:29pm, Steve Kehlet posted:
Raffaella, put the config file underneath the directory ".ssh" (which may or may not already exist), underneath your home directory. If .ssh doesn't already exist you'll need to create it in a Terminal window ("mkdir .ssh").


On Sat Nov 29th 2008, 7:13am, Visitor posted:
What didn't you understand about his fucking question???!!! REMOTE or LOCAL?


On Sat Nov 29th 2008, 4:24pm, Steve Kehlet posted:
On the local computer. Hope this clears up any confusion.



On Mon Jan 19th 2009, 5:14pm, Roger posted:
Thanks for posting this Steve. And I must say that you have an unbelievable level of cool to actually respond to that last jerk (and politely too!).


On Wed Aug 12th 2009, 9:51am, Who posted:
LOL @ VISITOR


On Tue Sep 8th 2009, 11:50pm, 0xdeadbeef posted:
If you happen to be using the PuTTY SSH client on a M$ Windows system, there is a "Seconds between keepalives" option (disabled by default) in the "Connection" configuration node.


On Mon Oct 26th 2009, 2:56pm, Visitor posted:
If you're using SecureCRT, you can edit the Global Options (Edit Default Settings button). The "Terminal" tab has an anti-idle section. I set mine to "Send protocol NO-OP" every 60 seconds.


On Wed Mar 10th 2010, 12:25pm, Adam Monsen posted:
Very helpful. Thank you!


On Sat Oct 9th 2010, 10:09am, Visitor posted:
I have the following in ~/.ssh/config

Host *
ServerAliveInterval 14400

I did ssh to a remote host, left the terminal idle, and found it frozen when I came back after about 30min. What else could be wrong?




On Mon Oct 11th 2010, 11:20am, Steve Kehlet posted:
Visitor, I'd suggest trying a smaller value than 14400, maybe 60 or so. If you wanted you could then try increasing that number and testing with increasingly longer idle times to see where the cutoff is. Personally, in this day and age, I don't care much about junk traffic on the wires so 60sec isn't bad.


On Mon Oct 18th 2010, 3:24am, Colin 't Hart posted:
14400 = 4 hours, so it's not surprising that your session has timed-out after 30 minutes :-)
Set ServerAliveInterval to 60 as Steve suggested.


On Mon Jan 10th 2011, 8:22am, Visitor posted:
Thank you for this post!


On Sat Apr 30th 2011, 5:24pm, theodore posted:
Thanks, this is this most straightforward (and complete) explanation I've been able to find.


On Thu Jul 7th 2011, 9:58am, Simone posted:
six years old and still useful. Thank you for this post Steve


On Tue Jul 12th 2011, 11:12am, Melli posted:
Finally a solution to the problem that's been driving me nuts since I got a new modem. Thanks Steve!


On Tue Jul 12th 2011, 5:07pm, Steve Kehlet posted:
Thanks everyone, glad you found this useful.


On Tue Sep 6th 2011, 11:37am, Arda Gozubuyukoglu posted:
If you are using OpenSSH there is an option called "ClientAliveInterval" and its working quite good
just change it
From:
#ClientAliveInterval 0
To:
ClientAliveInterval 30

Regards,
Arda


On Tue Sep 6th 2011, 11:38am, Arda Gozubuyukoglu posted:
Sorry, I forgot to tell , it is in the global configuration of ssh (sshd_config) under etc/sshd


On Wed Feb 8th 2012, 12:09pm, Visitor posted:
thanks for the help this is perfect...this was driving me crazy


On Wed Feb 8th 2012, 12:11pm, Visitor posted:
Oh and by the way, ClientAliveInterval and ServerAliveInterval are completely different. ServerAliveInterval maintains a persistant connection (for x seconds) to an out side machine. ClientAliveInterval allows inbound machines to maintain a persistent connection. There are different security implications for each.


On Wed Aug 22nd 2012, 6:39pm, Visitor posted:
ClientAliveInterval:
An SSH server (sshd) configuration option that tells the server to send a request to the client at the given interval asking the client for a response to verify an active connection

ServerAliveInterval:
An SSH client (ssh) configuration option that tells the client software to send a request to the server at the given interval to verify an active connection


On Sat Dec 21st 2013, 6:50pm, jwbeauch posted:
I'm working at home on a Macintosh using Terminal and connecting to a remote Linux machine. I would like to keep ssh going without activity for at least an hour. I frequently do a little work, then go eat or take a shower (or both), and I want to come back before my Terminal times out. (I haven't been sure whether it's the local or the remote machine causing the problem.) My default cutoff time seems to be about 20 minutes, but I've never measured it, so restricting it to 4 minutes using the suggestion given in this forum won't help. Is there a better solution? Right now I'm trying

Host *
ServerAliveInterval 3600

in ~/.ssh/config to see if that helps. It should give 1 hour before cutoff.

Thanks,
Jim


On Mon Dec 23rd 2013, 9:58pm, Steve Kehlet posted:
@jwbeauch: I would try a much lower value, like 60:

Host *
ServerAliveInterval 60

Hopefully 60 seconds is low enough to keep the connection alive. Good luck!