[sf-lug] keep alive time for an ssh connection

Sat Dec 20 23:52:26 PST 2008

Quoting Alex Kleider (a_kleider at yahoo.com):

> I tried 
> ssh -o TCPKeepAlive <machine>
> but it made no difference!

Hmm, you got the syntax wrong.  There's a missing "=yes", there.

"man 5 ssh_config" is your friend.

:r! man 5 ssh_config

Reformatting ssh_config(5), please wait...
SSH_CONFIG(5)               BSD File Formats Manual              SSH_CONFIG(5)

NAME
     ssh_config - OpenSSH SSH client configuration files

SYNOPSIS
     ~/.ssh/config
     /etc/ssh/ssh_config

DESCRIPTION
     ssh obtains configuration data from the following sources in the follow-
     ing order:
           1.   command-line options
           2.   user's configuration file (~/.ssh/config)
           3.   system-wide configuration file (/etc/ssh/ssh_config)
[...]
     TCPKeepAlive
             Specifies whether the system should send TCP keepalive messages
             to the other side.  If they are sent, death of the connection or
             crash of one of the machines will be properly noticed.  This
             option only uses TCP keepalives (as opposed to using ssh level
             keepalives), so takes a long time to notice when the connection
             dies.  As such, you probably want the ServerAliveInterval option
             as well.  However, this means that connections will die if the
             route is down temporarily, and some people find it annoying.

             The default is ``yes'' (to send TCP keepalive messages), and the
             client will notice if the network goes down or the remote host
             dies.  This is important in scripts, and many users want it too.

             To disable TCP keepalive messages, the value should be set to
             ``no''.
[...]

I notice that it defaults to "yes", though, unless your distribution has
changed that behaviour.

In addition, you should attend to:

     ServerAliveInterval
             Sets a timeout interval in seconds after which if no data has
             been received from the server, ssh will send a message through
             the encrypted channel to request a response from the server.  The
             default is 0, indicating that these messages will not be sent to
             the server, or 300 if the BatchMode option is set.
             ProtocolKeepAlives is a Debian-specific compatibility alias for
             this option.

     ServerAliveCountMax
             Sets the number of server alive messages (see above) which may be
             sent without ssh receiving any messages back from the server.  If
             this threshold is reached while server alive messages are being
             sent, ssh will disconnect from the server, terminating the ses-
             sion.  It is important to note that the use of server alive mes-
             sages is very different from TCPKeepAlive (below).  The server
             alive messages are sent through the encrypted channel and there-
             fore will not be spoofable.  The TCP keepalive option enabled by
             TCPKeepAlive is spoofable.  The server alive mechanism is valu-
             able when the client or server depend on knowing when a connec-
             tion has become inactive.

             The default value is 3.  If, for example, ServerAliveInterval
             (above) is set to 15, and ServerAliveCountMax is left at the
             default, if the server becomes unresponsive ssh will disconnect
             after approximately 45 seconds.  This option works when using
             protocol version 2 only; in protocol version 1 there is no mecha-
             nism to request a response from the server to the server alive
             messages, so disconnection is the responsibility of the TCP
             stack.

"ServerAliveInterval 5" seems about right.