summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRichard Kettlewell <rjk@greenend.org.uk>2014-02-09 16:09:52 +0000
committerColin Watson <cjwatson@debian.org>2018-04-03 08:20:56 +0100
commita7045c36e6e072c8f9250fbe11cf2f9db9f51a08 (patch)
tree87af42b26122998a88bf9945aff95cbca51ff605
parent4fb99d4eb8936b6ffae3749717abfc2dccbaa162 (diff)
Various keepalive extensions
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. Author: Ian Jackson <ian@chiark.greenend.org.uk> Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2017-10-04 Patch-Name: keepalive-extensions.patch
-rw-r--r--readconf.c14
-rw-r--r--ssh_config.521
-rw-r--r--sshd_config.53
3 files changed, 34 insertions, 4 deletions
diff --git a/readconf.c b/readconf.c
index 1f1be7789..7f2b5c172 100644
--- a/readconf.c
+++ b/readconf.c
@@ -174,6 +174,7 @@ typedef enum {
174 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, 174 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
175 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, 175 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
176 oPubkeyAcceptedKeyTypes, oProxyJump, 176 oPubkeyAcceptedKeyTypes, oProxyJump,
177 oProtocolKeepAlives, oSetupTimeOut,
177 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported 178 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
178} OpCodes; 179} OpCodes;
179 180
@@ -319,6 +320,8 @@ static struct {
319 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, 320 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
320 { "ignoreunknown", oIgnoreUnknown }, 321 { "ignoreunknown", oIgnoreUnknown },
321 { "proxyjump", oProxyJump }, 322 { "proxyjump", oProxyJump },
323 { "protocolkeepalives", oProtocolKeepAlives },
324 { "setuptimeout", oSetupTimeOut },
322 325
323 { NULL, oBadOption } 326 { NULL, oBadOption }
324}; 327};
@@ -1378,6 +1381,8 @@ parse_keytypes:
1378 goto parse_flag; 1381 goto parse_flag;
1379 1382
1380 case oServerAliveInterval: 1383 case oServerAliveInterval:
1384 case oProtocolKeepAlives: /* Debian-specific compatibility alias */
1385 case oSetupTimeOut: /* Debian-specific compatibility alias */
1381 intptr = &options->server_alive_interval; 1386 intptr = &options->server_alive_interval;
1382 goto parse_time; 1387 goto parse_time;
1383 1388
@@ -2019,8 +2024,13 @@ fill_default_options(Options * options)
2019 options->rekey_interval = 0; 2024 options->rekey_interval = 0;
2020 if (options->verify_host_key_dns == -1) 2025 if (options->verify_host_key_dns == -1)
2021 options->verify_host_key_dns = 0; 2026 options->verify_host_key_dns = 0;
2022 if (options->server_alive_interval == -1) 2027 if (options->server_alive_interval == -1) {
2023 options->server_alive_interval = 0; 2028 /* in batch mode, default is 5mins */
2029 if (options->batch_mode == 1)
2030 options->server_alive_interval = 300;
2031 else
2032 options->server_alive_interval = 0;
2033 }
2024 if (options->server_alive_count_max == -1) 2034 if (options->server_alive_count_max == -1)
2025 options->server_alive_count_max = 3; 2035 options->server_alive_count_max = 3;
2026 if (options->control_master == -1) 2036 if (options->control_master == -1)
diff --git a/ssh_config.5 b/ssh_config.5
index 66826aa70..32c3632c7 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -247,8 +247,12 @@ Valid arguments are
247If set to 247If set to
248.Cm yes , 248.Cm yes ,
249passphrase/password querying will be disabled. 249passphrase/password querying will be disabled.
250In addition, the
251.Cm ServerAliveInterval
252option will be set to 300 seconds by default (Debian-specific).
250This option is useful in scripts and other batch jobs where no user 253This option is useful in scripts and other batch jobs where no user
251is present to supply the password. 254is present to supply the password,
255and where it is desirable to detect a broken network swiftly.
252The argument must be 256The argument must be
253.Cm yes 257.Cm yes
254or 258or
@@ -1463,7 +1467,14 @@ from the server,
1463will send a message through the encrypted 1467will send a message through the encrypted
1464channel to request a response from the server. 1468channel to request a response from the server.
1465The default 1469The default
1466is 0, indicating that these messages will not be sent to the server. 1470is 0, indicating that these messages will not be sent to the server,
1471or 300 if the
1472.Cm BatchMode
1473option is set (Debian-specific).
1474.Cm ProtocolKeepAlives
1475and
1476.Cm SetupTimeOut
1477are Debian-specific compatibility aliases for this option.
1467.It Cm StreamLocalBindMask 1478.It Cm StreamLocalBindMask
1468Sets the octal file creation mode mask 1479Sets the octal file creation mode mask
1469.Pq umask 1480.Pq umask
@@ -1537,6 +1548,12 @@ Specifies whether the system should send TCP keepalive messages to the
1537other side. 1548other side.
1538If they are sent, death of the connection or crash of one 1549If they are sent, death of the connection or crash of one
1539of the machines will be properly noticed. 1550of the machines will be properly noticed.
1551This option only uses TCP keepalives (as opposed to using ssh level
1552keepalives), so takes a long time to notice when the connection dies.
1553As such, you probably want
1554the
1555.Cm ServerAliveInterval
1556option as well.
1540However, this means that 1557However, this means that
1541connections will die if the route is down temporarily, and some people 1558connections will die if the route is down temporarily, and some people
1542find it annoying. 1559find it annoying.
diff --git a/sshd_config.5 b/sshd_config.5
index c4a3f3cb2..1a1c6dd09 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1495,6 +1495,9 @@ This avoids infinitely hanging sessions.
1495.Pp 1495.Pp
1496To disable TCP keepalive messages, the value should be set to 1496To disable TCP keepalive messages, the value should be set to
1497.Cm no . 1497.Cm no .
1498.Pp
1499This option was formerly called
1500.Cm KeepAlive .
1498.It Cm TrustedUserCAKeys 1501.It Cm TrustedUserCAKeys
1499Specifies a file containing public keys of certificate authorities that are 1502Specifies a file containing public keys of certificate authorities that are
1500trusted to sign user certificates for authentication, or 1503trusted to sign user certificates for authentication, or