Date: Tue, 18 Jun 2002 16:26:37 -0700 From: "Philip J. Koenig" <pjklist@ekahuna.com> To: questions@FreeBSD.ORG Cc: Dan Nelson <dnelson@allantgroup.com>, Giorgos Keramidas <keramida@ceid.upatras.gr> Subject: Re: kicking users Message-ID: <20020618232637633.AAA603@empty1.ekahuna.com@pc02.ekahuna.com>
next in thread | raw e-mail | index | archive | help
Date: Wed, 19 Jun 2002 00:24:43 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> > On 2002-06-17 19:23 -0700, Philip J. Koenig wrote: > > > Hmm. According to the sshd manpage, it already enables > > > keepalives. Ignore my sysctl idea, then. > > > > Interesting you should mention that though. I have a problem where > > sessions get killed off, and I think it's because of the stateful > > firewall on one or both ends of the connection timing out the > > session when no packets traverse it for 5-10 mins. (this is actually > > the main reason I end up wanting to kill 'zombie' user sessions) > > This looks similar to troubles I had with a stateful ipfw firewall > that killed my ssh sessions too often for me to ignore it. Try > increasing the lifetime of dynamic ipfw rules. I now have in my > /etc/sysctl.conf file the following: > > net.inet.ip.fw.dyn_ack_lifetime=7200 I don't want to increase the session timeout on the firewall(s) because that introduces other issues. (including security problems, ie making it easier for sessions to be hijacked) The simple solution is to have a working keepalive function on the server or the client. (Putty for Windows was the only one I've tried that did this correctly on the client side) However the problem is now solved for me because I discovered an option for sshd_config called "ClientAliveInterval" that either is fairly new, or I hadn't tried before. I had enabled the "keepalive" function for sshd, but this is really a misnomer, I think of it as a "watchdog timer" which kills sessions after they stop communicating. I just added the following to the /etc/ssh/sshd_config file: ClientAliveInterval 30 ClientAliveCountMax 4 The first setting sends keepalive messages from server to client every 30 seconds, and the second setting allows 4 of those to go unanswered before terminating the session. (another "watchdog" function) Bear in mind this only works for SSH v2 apparently. In any case, I was able to leave a session idle for 20 mins without it being terminated, so it looks like it solved the problem. Also hopefully the various watchdog measures will kill sessions where connectivity has been lost for an extended period, hopefully addressing the "zombie user" issue. Time will tell. HTH, Phil -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020618232637633.AAA603>