diff options
| author | Richard Kettlewell <rjk@greenend.org.uk> | 2014-02-09 16:09:52 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2020-06-07 10:25:35 +0100 |
| commit | 24c9c811bfd227e467ab1ce00503f08dcc22c0f4 (patch) | |
| tree | d57facddd59855092f73b80ac0874adfb5bbe8cc | |
| parent | 6ed578a01fd61f9c930ef46cfefc467203ddd6c0 (diff) | |
Various keepalive extensions
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
in previous versions of Debian's OpenSSH package but since superseded by
ServerAliveInterval. (We're probably stuck with this bit for
compatibility.)
In batch mode, default ServerAliveInterval to five minutes.
Adjust documentation to match and to give some more advice on use of
keepalives.
Author: Ian Jackson <ian@chiark.greenend.org.uk>
Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2020-02-21
Patch-Name: keepalive-extensions.patch
| -rw-r--r-- | readconf.c | 14 | ||||
| -rw-r--r-- | ssh_config.5 | 21 | ||||
| -rw-r--r-- | sshd_config.5 | 3 |
3 files changed, 34 insertions, 4 deletions
diff --git a/readconf.c b/readconf.c index 2ccc48572..431243193 100644 --- a/readconf.c +++ b/readconf.c | |||
| @@ -176,6 +176,7 @@ typedef enum { | |||
| 176 | oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, | 176 | oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, |
| 177 | oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, | 177 | oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, |
| 178 | oSecurityKeyProvider, | 178 | oSecurityKeyProvider, |
| 179 | oProtocolKeepAlives, oSetupTimeOut, | ||
| 179 | oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported | 180 | oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported |
| 180 | } OpCodes; | 181 | } OpCodes; |
| 181 | 182 | ||
| @@ -326,6 +327,8 @@ static struct { | |||
| 326 | { "ignoreunknown", oIgnoreUnknown }, | 327 | { "ignoreunknown", oIgnoreUnknown }, |
| 327 | { "proxyjump", oProxyJump }, | 328 | { "proxyjump", oProxyJump }, |
| 328 | { "securitykeyprovider", oSecurityKeyProvider }, | 329 | { "securitykeyprovider", oSecurityKeyProvider }, |
| 330 | { "protocolkeepalives", oProtocolKeepAlives }, | ||
| 331 | { "setuptimeout", oSetupTimeOut }, | ||
| 329 | 332 | ||
| 330 | { NULL, oBadOption } | 333 | { NULL, oBadOption } |
| 331 | }; | 334 | }; |
| @@ -1519,6 +1522,8 @@ parse_keytypes: | |||
| 1519 | goto parse_flag; | 1522 | goto parse_flag; |
| 1520 | 1523 | ||
| 1521 | case oServerAliveInterval: | 1524 | case oServerAliveInterval: |
| 1525 | case oProtocolKeepAlives: /* Debian-specific compatibility alias */ | ||
| 1526 | case oSetupTimeOut: /* Debian-specific compatibility alias */ | ||
| 1522 | intptr = &options->server_alive_interval; | 1527 | intptr = &options->server_alive_interval; |
| 1523 | goto parse_time; | 1528 | goto parse_time; |
| 1524 | 1529 | ||
| @@ -2222,8 +2227,13 @@ fill_default_options(Options * options) | |||
| 2222 | options->rekey_interval = 0; | 2227 | options->rekey_interval = 0; |
| 2223 | if (options->verify_host_key_dns == -1) | 2228 | if (options->verify_host_key_dns == -1) |
| 2224 | options->verify_host_key_dns = 0; | 2229 | options->verify_host_key_dns = 0; |
| 2225 | if (options->server_alive_interval == -1) | 2230 | if (options->server_alive_interval == -1) { |
| 2226 | options->server_alive_interval = 0; | 2231 | /* in batch mode, default is 5mins */ |
| 2232 | if (options->batch_mode == 1) | ||
| 2233 | options->server_alive_interval = 300; | ||
| 2234 | else | ||
| 2235 | options->server_alive_interval = 0; | ||
| 2236 | } | ||
| 2227 | if (options->server_alive_count_max == -1) | 2237 | if (options->server_alive_count_max == -1) |
| 2228 | options->server_alive_count_max = 3; | 2238 | options->server_alive_count_max = 3; |
| 2229 | if (options->control_master == -1) | 2239 | if (options->control_master == -1) |
diff --git a/ssh_config.5 b/ssh_config.5 index e2a2359f9..85ab7447f 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
| @@ -266,9 +266,13 @@ If set to | |||
| 266 | .Cm yes , | 266 | .Cm yes , |
| 267 | user interaction such as password prompts and host key confirmation requests | 267 | user interaction such as password prompts and host key confirmation requests |
| 268 | will be disabled. | 268 | will be disabled. |
| 269 | In addition, the | ||
| 270 | .Cm ServerAliveInterval | ||
| 271 | option will be set to 300 seconds by default (Debian-specific). | ||
| 269 | This option is useful in scripts and other batch jobs where no user | 272 | This option is useful in scripts and other batch jobs where no user |
| 270 | is present to interact with | 273 | is present to interact with |
| 271 | .Xr ssh 1 . | 274 | .Xr ssh 1 , |
| 275 | and where it is desirable to detect a broken network swiftly. | ||
| 272 | The argument must be | 276 | The argument must be |
| 273 | .Cm yes | 277 | .Cm yes |
| 274 | or | 278 | or |
| @@ -1604,7 +1608,14 @@ from the server, | |||
| 1604 | will send a message through the encrypted | 1608 | will send a message through the encrypted |
| 1605 | channel to request a response from the server. | 1609 | channel to request a response from the server. |
| 1606 | The default | 1610 | The default |
| 1607 | is 0, indicating that these messages will not be sent to the server. | 1611 | is 0, indicating that these messages will not be sent to the server, |
| 1612 | or 300 if the | ||
| 1613 | .Cm BatchMode | ||
| 1614 | option is set (Debian-specific). | ||
| 1615 | .Cm ProtocolKeepAlives | ||
| 1616 | and | ||
| 1617 | .Cm SetupTimeOut | ||
| 1618 | are Debian-specific compatibility aliases for this option. | ||
| 1608 | .It Cm SetEnv | 1619 | .It Cm SetEnv |
| 1609 | Directly specify one or more environment variables and their contents to | 1620 | Directly specify one or more environment variables and their contents to |
| 1610 | be sent to the server. | 1621 | be sent to the server. |
| @@ -1684,6 +1695,12 @@ Specifies whether the system should send TCP keepalive messages to the | |||
| 1684 | other side. | 1695 | other side. |
| 1685 | If they are sent, death of the connection or crash of one | 1696 | If they are sent, death of the connection or crash of one |
| 1686 | of the machines will be properly noticed. | 1697 | of the machines will be properly noticed. |
| 1698 | This option only uses TCP keepalives (as opposed to using ssh level | ||
| 1699 | keepalives), so takes a long time to notice when the connection dies. | ||
| 1700 | As such, you probably want | ||
| 1701 | the | ||
| 1702 | .Cm ServerAliveInterval | ||
| 1703 | option as well. | ||
| 1687 | However, this means that | 1704 | However, this means that |
| 1688 | connections will die if the route is down temporarily, and some people | 1705 | connections will die if the route is down temporarily, and some people |
| 1689 | find it annoying. | 1706 | find it annoying. |
diff --git a/sshd_config.5 b/sshd_config.5 index 360e5fb1a..9f093be1f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -1680,6 +1680,9 @@ This avoids infinitely hanging sessions. | |||
| 1680 | .Pp | 1680 | .Pp |
| 1681 | To disable TCP keepalive messages, the value should be set to | 1681 | To disable TCP keepalive messages, the value should be set to |
| 1682 | .Cm no . | 1682 | .Cm no . |
| 1683 | .Pp | ||
| 1684 | This option was formerly called | ||
| 1685 | .Cm KeepAlive . | ||
| 1683 | .It Cm TrustedUserCAKeys | 1686 | .It Cm TrustedUserCAKeys |
| 1684 | Specifies a file containing public keys of certificate authorities that are | 1687 | Specifies a file containing public keys of certificate authorities that are |
| 1685 | trusted to sign user certificates for authentication, or | 1688 | trusted to sign user certificates for authentication, or |