summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRichard Kettlewell <rjk@greenend.org.uk>2014-02-09 16:09:52 +0000
committerColin Watson <cjwatson@debian.org>2014-03-19 16:40:05 +0000
commit89a797b303eb5ed9edeb122a15b9dedf152cdd02 (patch)
treece23d17deb29632363d71d655bdfce9bfc8423ce
parent40a23637b9cb6364c8baeb2c25b1d8115bc740c0 (diff)
Various keepalive extensions
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. Author: Ian Jackson <ian@chiark.greenend.org.uk> Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2013-09-14 Patch-Name: keepalive-extensions.patch
-rw-r--r--readconf.c14
-rw-r--r--ssh_config.521
-rw-r--r--sshd_config.53
3 files changed, 34 insertions, 4 deletions
diff --git a/readconf.c b/readconf.c
index 2a1fe8ec6..e79e355dc 100644
--- a/readconf.c
+++ b/readconf.c
@@ -150,6 +150,7 @@ typedef enum {
150 oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, 150 oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
151 oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, 151 oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
152 oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, 152 oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
153 oProtocolKeepAlives, oSetupTimeOut,
153 oIgnoredUnknownOption, oDeprecated, oUnsupported 154 oIgnoredUnknownOption, oDeprecated, oUnsupported
154} OpCodes; 155} OpCodes;
155 156
@@ -279,6 +280,8 @@ static struct {
279 { "canonicalizemaxdots", oCanonicalizeMaxDots }, 280 { "canonicalizemaxdots", oCanonicalizeMaxDots },
280 { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, 281 { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
281 { "ignoreunknown", oIgnoreUnknown }, 282 { "ignoreunknown", oIgnoreUnknown },
283 { "protocolkeepalives", oProtocolKeepAlives },
284 { "setuptimeout", oSetupTimeOut },
282 285
283 { NULL, oBadOption } 286 { NULL, oBadOption }
284}; 287};
@@ -1245,6 +1248,8 @@ parse_int:
1245 goto parse_flag; 1248 goto parse_flag;
1246 1249
1247 case oServerAliveInterval: 1250 case oServerAliveInterval:
1251 case oProtocolKeepAlives: /* Debian-specific compatibility alias */
1252 case oSetupTimeOut: /* Debian-specific compatibility alias */
1248 intptr = &options->server_alive_interval; 1253 intptr = &options->server_alive_interval;
1249 goto parse_time; 1254 goto parse_time;
1250 1255
@@ -1724,8 +1729,13 @@ fill_default_options(Options * options)
1724 options->rekey_interval = 0; 1729 options->rekey_interval = 0;
1725 if (options->verify_host_key_dns == -1) 1730 if (options->verify_host_key_dns == -1)
1726 options->verify_host_key_dns = 0; 1731 options->verify_host_key_dns = 0;
1727 if (options->server_alive_interval == -1) 1732 if (options->server_alive_interval == -1) {
1728 options->server_alive_interval = 0; 1733 /* in batch mode, default is 5mins */
1734 if (options->batch_mode == 1)
1735 options->server_alive_interval = 300;
1736 else
1737 options->server_alive_interval = 0;
1738 }
1729 if (options->server_alive_count_max == -1) 1739 if (options->server_alive_count_max == -1)
1730 options->server_alive_count_max = 3; 1740 options->server_alive_count_max = 3;
1731 if (options->control_master == -1) 1741 if (options->control_master == -1)
diff --git a/ssh_config.5 b/ssh_config.5
index 617a312d0..b3c5dc614 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -205,8 +205,12 @@ Valid arguments are
205If set to 205If set to
206.Dq yes , 206.Dq yes ,
207passphrase/password querying will be disabled. 207passphrase/password querying will be disabled.
208In addition, the
209.Cm ServerAliveInterval
210option will be set to 300 seconds by default.
208This option is useful in scripts and other batch jobs where no user 211This option is useful in scripts and other batch jobs where no user
209is present to supply the password. 212is present to supply the password,
213and where it is desirable to detect a broken network swiftly.
210The argument must be 214The argument must be
211.Dq yes 215.Dq yes
212or 216or
@@ -1299,8 +1303,15 @@ from the server,
1299will send a message through the encrypted 1303will send a message through the encrypted
1300channel to request a response from the server. 1304channel to request a response from the server.
1301The default 1305The default
1302is 0, indicating that these messages will not be sent to the server. 1306is 0, indicating that these messages will not be sent to the server,
1307or 300 if the
1308.Cm BatchMode
1309option is set.
1303This option applies to protocol version 2 only. 1310This option applies to protocol version 2 only.
1311.Cm ProtocolKeepAlives
1312and
1313.Cm SetupTimeOut
1314are Debian-specific compatibility aliases for this option.
1304.It Cm StrictHostKeyChecking 1315.It Cm StrictHostKeyChecking
1305If this flag is set to 1316If this flag is set to
1306.Dq yes , 1317.Dq yes ,
@@ -1339,6 +1350,12 @@ Specifies whether the system should send TCP keepalive messages to the
1339other side. 1350other side.
1340If they are sent, death of the connection or crash of one 1351If they are sent, death of the connection or crash of one
1341of the machines will be properly noticed. 1352of the machines will be properly noticed.
1353This option only uses TCP keepalives (as opposed to using ssh level
1354keepalives), so takes a long time to notice when the connection dies.
1355As such, you probably want
1356the
1357.Cm ServerAliveInterval
1358option as well.
1342However, this means that 1359However, this means that
1343connections will die if the route is down temporarily, and some people 1360connections will die if the route is down temporarily, and some people
1344find it annoying. 1361find it annoying.
diff --git a/sshd_config.5 b/sshd_config.5
index 9aa9ebafa..39643deb1 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1168,6 +1168,9 @@ This avoids infinitely hanging sessions.
1168.Pp 1168.Pp
1169To disable TCP keepalive messages, the value should be set to 1169To disable TCP keepalive messages, the value should be set to
1170.Dq no . 1170.Dq no .
1171.Pp
1172This option was formerly called
1173.Cm KeepAlive .
1171.It Cm TrustedUserCAKeys 1174.It Cm TrustedUserCAKeys
1172Specifies a file containing public keys of certificate authorities that are 1175Specifies a file containing public keys of certificate authorities that are
1173trusted to sign user certificates for authentication. 1176trusted to sign user certificates for authentication.