- beck@cvs.openbsd.org 2001/04/13 22:46:54

[channels.c channels.h servconf.c servconf.h serverloop.c sshd.8] Add options ClientAliveInterval and ClientAliveCountMax to sshd. This gives the ability to do a "keepalive" via the encrypted channel which can't be spoofed (unlike TCP keepalives). Useful for when you want to use ssh connections to authenticate people for something, and know relatively quickly when they are no longer authenticated. Disabled by default (of course). ok markus@
author: Ben Lindstrom <mouring@eviladmin.org> 2001-04-13 23:28:01 +0000
committer: Ben Lindstrom <mouring@eviladmin.org> 2001-04-13 23:28:01 +0000
commit: 5744dc421d035c701b6660a58bed0d038c211375 (patch)
tree: a7c8df98b56a37c9be2fb3e33893e90424a85379 /sshd.8
parent: 402b3319456c1f0da0822319c3813c68e155726d (diff)
1 files changed, 26 insertions, 1 deletions
diff --git a/sshd.8 b/sshd.8
index da95eaef7..887cc3ba3 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.114 2001/04/11 16:25:31 lebel Exp $
+.\" $OpenBSD: sshd.8,v 1.115 2001/04/13 22:46:54 beck Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -363,6 +363,31 @@ Specifies whether
 should check for new mail for interactive logins.
 The default is
 .Dq no .
+.It Cm ClientAliveInterval
+Sets a timeout interval in seconds after which if no data has been received
+from the client, 
+.Nm
+will send a message through the encrypted
+channel to request a response from the client. This may only be
+used on a server supporting only protocol version 2. The default
+is 0, indicating that these messages will not be sent to the client.
+.It Cm ClientAliveCountMax
+Sets the number of client alive messages (see above) which may be
+sent without
+.Nm
+receiving any messages back from the client. If this threshold is
+reached while client alive messages are being sent, 
+.Nm
+will disconnect the client, terminating the session. It is important
+to note that the use of client alive messages is very different from 
+Keepalive (below). The client alive messages are sent through the
+encrypted channel and therefore will not be spoofable. The TCP keepalive
+option enable by Keepalive is spoofable. You want to use the client
+alive mechanism when you are basing something important on
+clients having an active connection to the server.
+ The default is value is 3. If you set ClientAliveInterval
+(above) to 15, and leave this value at the default, unresponsive ssh clients
+will be disconnected after approximately 45 seconds. 
 .It Cm DenyGroups
 This keyword can be followed by a number of group names, separated
 by spaces.
author	Ben Lindstrom <mouring@eviladmin.org>	2001-04-13 23:28:01 +0000
committer	Ben Lindstrom <mouring@eviladmin.org>	2001-04-13 23:28:01 +0000
commit	5744dc421d035c701b6660a58bed0d038c211375 (patch)
tree	a7c8df98b56a37c9be2fb3e33893e90424a85379 /sshd.8
parent	402b3319456c1f0da0822319c3813c68e155726d (diff)

diff --git a/sshd.8 b/sshd.8 index da95eaef7..887cc3ba3 100644 --- a/sshd.8 +++ b/sshd.8
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd.8,v 1.114 2001/04/11 16:25:31 lebel Exp $	37	.\" $OpenBSD: sshd.8,v 1.115 2001/04/13 22:46:54 beck Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSHD 8	39	.Dt SSHD 8
40	.Os	40	.Os
@@ -363,6 +363,31 @@ Specifies whether
363	should check for new mail for interactive logins.	363	should check for new mail for interactive logins.
364	The default is	364	The default is
365	.Dq no .	365	.Dq no .
		366	.It Cm ClientAliveInterval
		367	Sets a timeout interval in seconds after which if no data has been received
		368	from the client,
		369	.Nm
		370	will send a message through the encrypted
		371	channel to request a response from the client. This may only be
		372	used on a server supporting only protocol version 2. The default
		373	is 0, indicating that these messages will not be sent to the client.
		374	.It Cm ClientAliveCountMax
		375	Sets the number of client alive messages (see above) which may be
		376	sent without
		377	.Nm
		378	receiving any messages back from the client. If this threshold is
		379	reached while client alive messages are being sent,
		380	.Nm
		381	will disconnect the client, terminating the session. It is important
		382	to note that the use of client alive messages is very different from
		383	Keepalive (below). The client alive messages are sent through the
		384	encrypted channel and therefore will not be spoofable. The TCP keepalive
		385	option enable by Keepalive is spoofable. You want to use the client
		386	alive mechanism when you are basing something important on
		387	clients having an active connection to the server.
		388	The default is value is 3. If you set ClientAliveInterval
		389	(above) to 15, and leave this value at the default, unresponsive ssh clients
		390	will be disconnected after approximately 45 seconds.
366	.It Cm DenyGroups	391	.It Cm DenyGroups
367	This keyword can be followed by a number of group names, separated	392	This keyword can be followed by a number of group names, separated
368	by spaces.	393	by spaces.