summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRichard Kettlewell <rjk@greenend.org.uk>2014-02-09 16:09:52 +0000
committerColin Watson <cjwatson@debian.org>2017-03-29 01:39:47 +0100
commit74415628b380db26961259a25dcc47c4f02e8703 (patch)
tree36abae92a97bfe47e4e5b075c83b004f72a513da
parentfb7c3c37876359b7a110e1386a6b7887cd2c8ca2 (diff)
Various keepalive extensions
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. Author: Ian Jackson <ian@chiark.greenend.org.uk> Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2016-12-26 Patch-Name: keepalive-extensions.patch
-rw-r--r--readconf.c14
-rw-r--r--ssh_config.521
-rw-r--r--sshd_config.53
3 files changed, 34 insertions, 4 deletions
diff --git a/readconf.c b/readconf.c
index 32a729574..0b1370a8e 100644
--- a/readconf.c
+++ b/readconf.c
@@ -173,6 +173,7 @@ typedef enum {
173 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, 173 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
174 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, 174 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
175 oPubkeyAcceptedKeyTypes, oProxyJump, 175 oPubkeyAcceptedKeyTypes, oProxyJump,
176 oProtocolKeepAlives, oSetupTimeOut,
176 oIgnoredUnknownOption, oDeprecated, oUnsupported 177 oIgnoredUnknownOption, oDeprecated, oUnsupported
177} OpCodes; 178} OpCodes;
178 179
@@ -321,6 +322,8 @@ static struct {
321 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, 322 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
322 { "ignoreunknown", oIgnoreUnknown }, 323 { "ignoreunknown", oIgnoreUnknown },
323 { "proxyjump", oProxyJump }, 324 { "proxyjump", oProxyJump },
325 { "protocolkeepalives", oProtocolKeepAlives },
326 { "setuptimeout", oSetupTimeOut },
324 327
325 { NULL, oBadOption } 328 { NULL, oBadOption }
326}; 329};
@@ -1417,6 +1420,8 @@ parse_keytypes:
1417 goto parse_flag; 1420 goto parse_flag;
1418 1421
1419 case oServerAliveInterval: 1422 case oServerAliveInterval:
1423 case oProtocolKeepAlives: /* Debian-specific compatibility alias */
1424 case oSetupTimeOut: /* Debian-specific compatibility alias */
1420 intptr = &options->server_alive_interval; 1425 intptr = &options->server_alive_interval;
1421 goto parse_time; 1426 goto parse_time;
1422 1427
@@ -2070,8 +2075,13 @@ fill_default_options(Options * options)
2070 options->rekey_interval = 0; 2075 options->rekey_interval = 0;
2071 if (options->verify_host_key_dns == -1) 2076 if (options->verify_host_key_dns == -1)
2072 options->verify_host_key_dns = 0; 2077 options->verify_host_key_dns = 0;
2073 if (options->server_alive_interval == -1) 2078 if (options->server_alive_interval == -1) {
2074 options->server_alive_interval = 0; 2079 /* in batch mode, default is 5mins */
2080 if (options->batch_mode == 1)
2081 options->server_alive_interval = 300;
2082 else
2083 options->server_alive_interval = 0;
2084 }
2075 if (options->server_alive_count_max == -1) 2085 if (options->server_alive_count_max == -1)
2076 options->server_alive_count_max = 3; 2086 options->server_alive_count_max = 3;
2077 if (options->control_master == -1) 2087 if (options->control_master == -1)
diff --git a/ssh_config.5 b/ssh_config.5
index ec60273ea..e4eaa5ae0 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -250,8 +250,12 @@ Valid arguments are
250If set to 250If set to
251.Cm yes , 251.Cm yes ,
252passphrase/password querying will be disabled. 252passphrase/password querying will be disabled.
253In addition, the
254.Cm ServerAliveInterval
255option will be set to 300 seconds by default (Debian-specific).
253This option is useful in scripts and other batch jobs where no user 256This option is useful in scripts and other batch jobs where no user
254is present to supply the password. 257is present to supply the password,
258and where it is desirable to detect a broken network swiftly.
255The argument must be 259The argument must be
256.Cm yes 260.Cm yes
257or 261or
@@ -1509,7 +1513,14 @@ from the server,
1509will send a message through the encrypted 1513will send a message through the encrypted
1510channel to request a response from the server. 1514channel to request a response from the server.
1511The default 1515The default
1512is 0, indicating that these messages will not be sent to the server. 1516is 0, indicating that these messages will not be sent to the server,
1517or 300 if the
1518.Cm BatchMode
1519option is set (Debian-specific).
1520.Cm ProtocolKeepAlives
1521and
1522.Cm SetupTimeOut
1523are Debian-specific compatibility aliases for this option.
1513.It Cm StreamLocalBindMask 1524.It Cm StreamLocalBindMask
1514Sets the octal file creation mode mask 1525Sets the octal file creation mode mask
1515.Pq umask 1526.Pq umask
@@ -1568,6 +1579,12 @@ Specifies whether the system should send TCP keepalive messages to the
1568other side. 1579other side.
1569If they are sent, death of the connection or crash of one 1580If they are sent, death of the connection or crash of one
1570of the machines will be properly noticed. 1581of the machines will be properly noticed.
1582This option only uses TCP keepalives (as opposed to using ssh level
1583keepalives), so takes a long time to notice when the connection dies.
1584As such, you probably want
1585the
1586.Cm ServerAliveInterval
1587option as well.
1571However, this means that 1588However, this means that
1572connections will die if the route is down temporarily, and some people 1589connections will die if the route is down temporarily, and some people
1573find it annoying. 1590find it annoying.
diff --git a/sshd_config.5 b/sshd_config.5
index 3f819c76a..41ec66887 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1447,6 +1447,9 @@ This avoids infinitely hanging sessions.
1447.Pp 1447.Pp
1448To disable TCP keepalive messages, the value should be set to 1448To disable TCP keepalive messages, the value should be set to
1449.Cm no . 1449.Cm no .
1450.Pp
1451This option was formerly called
1452.Cm KeepAlive .
1450.It Cm TrustedUserCAKeys 1453.It Cm TrustedUserCAKeys
1451Specifies a file containing public keys of certificate authorities that are 1454Specifies a file containing public keys of certificate authorities that are
1452trusted to sign user certificates for authentication, or 1455trusted to sign user certificates for authentication, or