UNIX: Disabling/Extending SSH Client Session Disconnect on Idle
Overview
Typical organization will disconnect idle SSH connection when idle. Hours of searching in Internet, and found a lots of partial answer in extending ssh client session getting disconnected. Therefore, I written this post to summarize all, and mainly focus in RedHat RHEL 7.x (CentOS 7.x) as this is the environment that typically involve for ssh (Windows ssh support only started with late Windows 10 and Windows 2019 Server so I'm not going to include).
Following are various approach a typical organization will configure to kick out idle ssh connections:
- Firewall is terminating idle ssh connection - firewall could be in the UNIX server, or sit between UNIX server and ssh client
- bash shell is terminating idle sh connection - Linux bash shell has environment parameter TMOUT which can be configured to disconnect idle sh. To ssh user, they will see their ssh getting disconnected, but /var/log/secure (sshd daemon log file) will not show an entry on disconnection
- sshd daemon in UNIX server terminating idle ssh connection - There are 2 parameters that allows sshd server to disconnect idle ssh client connection
Some information found in Internet often covered one of the 3 above, while users might experiencing all 3. Inexperience administrators often confused how to troubleshoot in order to fix it, while some over-configured and resulting more administration overhead
Configuration Overview
Following are the necessary configuration, and log files in troubleshooting each of the above 3 setup:
| # | Component | Configuration File | Parameter | Value | Comment |
|---|---|---|---|---|---|
| 1 | Firewall/router | Vendor dependent | Vendor dependent | Vendor dependent | firewalld & iptables used by RHEL do not have capability to drop idle connection. So this configuration is in external firewall device, such as Cisco firewall/router |
| 2 | bash | /etc/profile ~/.bash_profile ~/.profile |
TMOUT | None (default), or set to desire second | Type "unset TMOUT" to remove this parameter, and bash won't terminate idle session Following message will display in console if it reached TMOUT: timed out waiting for input: auto-logout |
| 3 | sshd (Server) | /etc/ssh/sshd_config | 1. ClientAliveInterval 2. ClientAliveCountMax |
Comment both out, and restart sshd (service restart sshd). To enable it, set ClientAliveCountMax=0, and specify the desired timeout value as ClientAliveInterval. E.g. to set 15 min timeout, set ClientAliveInterval=15m (yes, m is acceptable as # of minute) | Following message will appear in /var/log/secure when sshd closing idle connection Jan 29 11:48:15 myhostname sshd[9614]: Timeout, client not responding. |
UNIX administrator might enabled firewall & router to kill idle connection. If it is not possible to convince that team to adjust it to reasonable time, then you can configure ssh client to send keep-alive message to server to fool the firewall & router and won't get kick off
SSH client parameter:
SSH client parameter:
- ServerAliveInterval = 5m
Above will send a TCP NULL packet to sshd daemon every 5 min, and both firewall and router will think someone is actively entering something. The connection is treated as active, and won't be terminated
Wrong Configuration
Scenario 1: /etc/ssh/sshd_config (server) and ~/.ssh/ssh_config (client) have configured tcpkeepalive=yes, but session still get disconnected
Explanation: Firstly, find out what is kicking you out. If it is sshd, then /var/log/secure will have an entry as shown above. If it is bash, then type "echo $TMOUT" to see whether it is configured. If both are not configured, then it is very likely the firewall/router.
Next, find out how soon the ssh client session is kick out. Open a new ssh session to server, and check back every 5 min. You should be able to get a brief idea, so that you have a baseline to test with.
If the session getting kick out after 5 min, then configure the ssh client to enable keepalive. PuTTY has this in the option menu, and ssh client too.
Use PuTTY (ssh client) to open a new connection to server by enabling keepalive, and wait for 5 min. If it is not getting disconnected, then you have a temporary workaround, while investigating the root cause.
For Linux client, configure /etc/ssh/ssh_config, parameter ServerAliveInterval=x, where x is # of seconds to send TCP NULL packet to sshd server
Scenario 2: /etc/ssh/sshd_config (server) has ClientAliveInterval=600m, yet ssl client keep getting disconnected. There is no firewall/router/bash timeout. What could be the problem
Multiple value of ClientAliveInterval in /etc/ssh/sshd_config could be the cause. Some people blindly add ClientAliveInterval=600m to the end of the config file, while sshd read the first entry on top of the configuration file. Therefore, the effective setting is still the old value (on top).
Second reason could be sshd daemon is not restarted after configuration change. sshd doesn't activate the new setting until it get restarted using "service restart sshd"
Type "sshd -T | grep clientalive" to see the effective setting
Scenario 3: /etc/ssh/sshd_config (server) has been configured to comment out both ClientAlive* setting, which won't disconnect idle ssh client session. Why my ssh session still get disconnected
In /etc/profile, environment variable "TMOUT" could be configured, which will kick idle session out as well. Once open a new ssh session, type "echo $TMOUT" to check whether it is configured. Remove the timeout using following:
$ unset TMOUT
You can reset it in ~/.bash_profile so that it will override the global default in /etc/profile. Fill in this line in .bash_profile
unset TMOUT
No comments:
Post a Comment