Re: Preventing SSH timeouts . Some clarification needed

linux-admin.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Glynn Clements <glynn@gclements.plus.com>
To: query <query.cdac@gmail.com>
Cc: linux-admin@vger.kernel.org, Michal Nazarewicz <mina86@tlen.pl>
Subject: Re: Preventing SSH timeouts . Some clarification needed
Date: Wed, 9 Jun 2010 11:14:33 +0100	[thread overview]
Message-ID: <19471.27017.510757.150961@cerise.gclements.plus.com> (raw)
In-Reply-To: <AANLkTinTlXuiXi_tXzBato6R4ibX8Rs3lo9XC83xo8Ci@mail.gmail.com>

query wrote:

> Guys , since we are clear now that we are not behind NAT , so we can
> forget now about  reducing the keep-alive time

Note that the same issue applies for firewalls which use connection
tracking to determine which packets to allow. Ultimately, it's the
connection tracking that's the issue, not NAT per se.

If the router "forgets" a connection because it hasn't seen any
traffic in a long time, and the result of this is that subsequent
packets are silently discarded, then the connection will cease to
work, resulting in a timeout occurring the next time either side tries
to send data.

This isn't an issue if connection tracking is only used for
scheduling.

> So, do you suggest now to enable to enable the ClientAliveInterval
> option . Also , since ClientAliveCountMax is enabled by default with a
> value of 3 ,
> so probably I will keep the value of ClientAliveInterval less than 300
> secs . I will probably keep it at 60 secs. So , the connection will
> dropout after 180  secs if there is no response .
> 
> Also , somewhat strange , TCPKeepAlive option is disabled in our
> sshd_config file , not sure why . So , If  ClientAliveInterval is
> enabled , can we can leave   TCPKeepAlive disabled . Is our purpose
> will serve ?

The main reason to disable TCP keep-alives is that they can cause a
connection to be dropped unnecessarily. A secondary reason is that
they will cause an on-demand link-layer connection to be opened
unnecessarily, but that's less of issue nowadays.

Without keep-alives, an idle TCP connection doesn't cause any packets
to be sent. The physical link could be down for days, but the TCP
connection will remain open so long as no packets are sent while the
link is down. Enabling keep-alives will cause the connection to fail
in this situation.

The main purpose of keep-alives is to prevent the situation where the
client system crashes, leaving the server process listening for
packets which will never arive. Without keep-alives, there's no way to
distinguish between a client which has permanently vanished and one
which has merely been idle for a long time.

The SSH keep-alives (ClientAliveInterval and ServerAliveInterval)
serve a similar purpose (to force a connection to be terminated when
the other end disappears without explicitly closing the connection),
except that the SSH protocol prevents spoofing. This prevents the
situation where an attacker "silences" one side of the connection and
spoofs TCP keep-alives to prevent the server from realising that
something has happened.

-- 
Glynn Clements <glynn@gclements.plus.com>

next prev parent reply	other threads:[~2010-06-09 10:14 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-06-08  9:36 Preventing SSH timeouts . Some clarification needed query
2010-06-08  9:48 ` Michal Nazarewicz
     [not found]   ` <AANLkTimTjSOmbj_ac4iiUMaHRuvp1-ljW-FUGAQbb1qt@mail.gmail.com>
     [not found]     ` <87k4q9g31y.fsf@erwin.mina86.com>
2010-06-08 15:10       ` query
2010-06-08 19:48         ` Michal Nazarewicz
2010-06-09  5:33           ` query
2010-06-08 10:39 ` Glynn Clements
2010-06-08 15:10   ` query
2010-06-08 16:19     ` Glynn Clements
2010-06-09  6:44       ` query
2010-06-09  8:15         ` Adam T. Bowen
2010-06-09 10:14         ` Glynn Clements [this message]
     [not found]           ` <AANLkTimDS_IalexVnOKtOuKN8fz13rFumHV8TrjEGtph@mail.gmail.com>
     [not found]             ` <19471.47290.566464.539451@cerise.gclements.plus.com>
2010-06-10  6:02               ` query
2010-06-10 13:03                 ` Glynn Clements
2010-06-10 16:35                   ` query
2010-06-10 23:52                     ` Glynn Clements
2010-06-11  7:22                       ` query

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=19471.27017.510757.150961@cerise.gclements.plus.com \
    --to=glynn@gclements.plus.com \
    --cc=linux-admin@vger.kernel.org \
    --cc=mina86@tlen.pl \
    --cc=query.cdac@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).