OpenSSH TCPKeepAlive Option Interval

linuxopensshsshtcp

In sshd config you can specify the option TCPKeepAlive yes. These Pakets are not encrypted so the could be spoofed.
With the options

ClientAliveInterval
ClientAliveCountMax
ServerAliveInterval
ServerAliveCountMax

you can specify the interval of the keep alive packets and the timeout (*CountMax) after which the connection is dropped. See also here What options `ServerAliveInterval` and `ClientAliveInterval` in sshd_config exactly do?

With TCPKeepAlive you can only enable it.
So what is the interval for the TCP-Pakets beeing sent?
After how many unsuccessful packets the connection is regarded broken and closed? Since default values are:

#TCPKeepAlive yes
#ClientAliveInterval 0
#ClientAliveCountMax 3

As far as I understand: The detection and closing of broken/inactive connections solely depends on the TCPKeepAlive option in the default configuration. So it is quite important to know that values.

Best Answer

The reason why OpenSSH doesn't offer any tweaks for TCPKeepAlive (which is implemented by the OS) is probably because there's no portable way to change its parameters; the only portable thing is turning it on or off with setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &on_off).

On Linux, you can see (and change) the default values via the /proc filesystem, as documented in the tcp(7) manpage:

grep -T . /proc/sys/net/ipv4/tcp_keepalive*
/proc/sys/net/ipv4/tcp_keepalive_intvl: 75
/proc/sys/net/ipv4/tcp_keepalive_probes:        9
/proc/sys/net/ipv4/tcp_keepalive_time:  7200

So, it will wait 2 hours until it will consider a connection idle, and then send 9 probes at the interval of 75 seconds.

On Linux, FreeBSD and NetBSD (but not on OpenBSD) you can also change those options on a per-socket basis with setsockopt(fd, IPPROTO_TCP, TCP_KEEP{CNT,IDLE,INTVL}, &val) but, as mentioned, OpenSSH doesn't do that.

Related Solutions

SSH – How Does TCP-Keepalive Work in SSH

You probably want to use the ServerAlive settings for this. They do not require any configuration on the server, and can be set on the command line if you wish.

ssh -o ServerAliveInterval=5 -o ServerAliveCountMax=1 $HOST

This will send a ssh keepalive message every 5 seconds, and if it comes time to send another keepalive, but a response to the last one wasn't received, then the connection is terminated.

The critical difference between ServerAliveInterval and TCPKeepAlive is the layer they operate at.

TCPKeepAlive operates on the TCP layer. It sends an empty TCP ACK packet. Firewalls can be configured to ignore these packets, so if you go through a firewall that drops idle connections, these may not keep the connection alive.
ServerAliveInterval operates on the ssh layer. It will actually send data through ssh, so the TCP packet has encrypted data in and a firewall can't tell if its a keepalive, or a legitimate packet, so these work better.

Ssh – the default idle timeout for OpenSSH

The commented lines in sshd_config usually display the defaults. This is the case with all of the lines in your question. You can verify this in the sshd_config manpage. Here are the relevant snippets:

TCPKeepAlive
Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, this means that connections will die if the route is down temporarily, and some people find it annoying. On the other hand, if TCP keepalives are not sent, sessions may hang indefinitely on the server, leaving “ghost” users and consuming server resources.

The default is “yes” (to send TCP keepalive messages), and the server will notice if the network goes down or the client host crashes. This avoids infinitely hanging sessions.

To disable TCP keepalive messages, the value should be set to “no”.

This option was formerly called KeepAlive.

ClientAliveCountMax
Sets the number of client alive messages (see below) which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive ~~(below)~~ (above). The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive.

The default value is 3. If ClientAliveInterval (see below) is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. This option applies to protocol version 2 only.

ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. This option applies to protocol version 2 only.

Best Answer

Related Solutions

SSH – How Does TCP-Keepalive Work in SSH

Ssh – the default idle timeout for OpenSSH

Related Question