Closing Idle Sessions in SunSSH
By janp on Oct 21, 2009
There is a question having been asked from time to time. Is
there a way for SSH to get rid of idle sessions? Usually, before
such question is asked, server side keyword
is consulted but quickly forgotten as an option that is to control
something completely else. Then,
checked with the same result. On the client side,
ServerAliveInterval is hoped that it could help.
The answer might be suprising but those "alive" options can really
help in getting rid of idle sessions both on the server and the client
side, respectively. However, note that
are supported only in OpenSolaris, not in S10. So, on S10 you will
be able to close idle sessions only on the server side (which is usually
why you are looking for such a feature though).
The trick is to set the "countmax" option to 0. The way how those options were implemented in OpenSSH and thus interited when SunSSH was forked is that when the alive counter expires and it's a time to send another keepalive-like packet, SSH checks whether the max counter has not already reached 0. If it has, the number of unanswered packets has reached its maximum and the connection is closed. So, if we start with 0 as the max count, we have an idle session killer instead to what those options are normally supposed to do. Yes, this also means you can no longer use the options to keep your connection alive through a proxy or a stateful firewall, for example. You have to decide which one of the two features you want.
See this example:
$ time ssh -o ServerAliveCountMax=0 -o ServerAliveInterval=10 boxA Last login: Wed Oct 21 11:27:25 2009 from boxB Sun Microsystems Inc. SunOS 5.11 rfc-6868716 09/10/2009 Oct 2007 bfu'ed from /export/archives/nightly-nd/ on 2009-09-10 Sun Microsystems Inc. SunOS 5.11 snv_115 November 2008 $ Timeout, server not responding. real 0m14.626s user 0m0.170s sys 0m0.030s
Those extra 4 seconds was to log in over a slow connection. The
timeout starts after the authentication is over. It's probably time to
put a short note about this hidden feature to
pages but before that happens, this is a faster way to mention it.
The server side example looks similarly:
# cd /usr/lib/ssh # time ./sshd -d -o ClientAliveCountMax=0 \\ -o ClientAliveInterval=10 -p 2222 ... output omitted ... Disconnecting: Timeout, your session not responding. ... real 0m12.806s user 0m0.280s sys 0m0.257s
And on the client side we get something like this:
Received disconnect from 127.0.0.1: 2: Timeout, your session not responding.