In sshd config you can specify the option TCPKeepAlive yes
. These Pakets are not encrypted so the could be spoofed.
With the options
ClientAliveInterval
ClientAliveCountMax
ServerAliveInterval
ServerAliveCountMax
you can specify the interval of the keep alive packets and the timeout (*CountMax) after which the connection is dropped. See also here What options `ServerAliveInterval` and `ClientAliveInterval` in sshd_config exactly do?
With TCPKeepAlive
you can only enable it.
So what is the interval for the TCP-Pakets beeing sent?
After how many unsuccessful packets the connection is regarded broken and closed? Since default values are:
#TCPKeepAlive yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
As far as I understand: The detection and closing of broken/inactive connections solely depends on the TCPKeepAlive option in the default configuration. So it is quite important to know that values.
Best Answer
The reason why OpenSSH doesn't offer any tweaks for
TCPKeepAlive
(which is implemented by the OS) is probably because there's no portable way to change its parameters; the only portable thing is turning it on or off withsetsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &on_off)
.On Linux, you can see (and change) the default values via the
/proc
filesystem, as documented in thetcp(7)
manpage:So, it will wait 2 hours until it will consider a connection idle, and then send 9 probes at the interval of 75 seconds.
On Linux, FreeBSD and NetBSD (but not on OpenBSD) you can also change those options on a per-socket basis with
setsockopt(fd, IPPROTO_TCP, TCP_KEEP{CNT,IDLE,INTVL}, &val)
but, as mentioned, OpenSSH doesn't do that.