Closing Idle Sessions in SunSSH

There is a question having been asked from time to time. Is there a way for SSH to get rid of idle sessions? Usually, before such question is asked, server side keyword MaxStartups is consulted but quickly forgotten as an option that is to control something completely else. Then, ClientAliveInterval is checked with the same result. On the client side, ServerAliveInterval is hoped that it could help.

The answer might be suprising but those "alive" options can really help in getting rid of idle sessions both on the server and the client side, respectively. However, note that ServerAliveInterval and ServerAliveCountMax are supported only in OpenSolaris, not in S10. So, on S10 you will be able to close idle sessions only on the server side (which is usually why you are looking for such a feature though).

The trick is to set the "countmax" option to 0. The way how those options were implemented in OpenSSH and thus interited when SunSSH was forked is that when the alive counter expires and it's a time to send another keepalive-like packet, SSH checks whether the max counter has not already reached 0. If it has, the number of unanswered packets has reached its maximum and the connection is closed. So, if we start with 0 as the max count, we have an idle session killer instead to what those options are normally supposed to do. Yes, this also means you can no longer use the options to keep your connection alive through a proxy or a stateful firewall, for example. You have to decide which one of the two features you want.

See this example:

$ time ssh -o ServerAliveCountMax=0 -o ServerAliveInterval=10 boxA
Last login: Wed Oct 21 11:27:25 2009 from boxB
Sun Microsystems Inc.   SunOS 5.11   rfc-6868716 09/10/2009  Oct 2007
bfu'ed from /export/archives/nightly-nd/ on 2009-09-10
Sun Microsystems Inc.   SunOS 5.11      snv_115 November 2008
$ Timeout, server not responding.

real    0m14.626s
user    0m0.170s
sys     0m0.030s

Those extra 4 seconds was to log in over a slow connection. The timeout starts after the authentication is over. It's probably time to put a short note about this hidden feature to ssh_config(4) and sshd_config(4) manual pages but before that happens, this is a faster way to mention it.

The server side example looks similarly:

# cd /usr/lib/ssh
# time ./sshd -d -o ClientAliveCountMax=0 \\
                 -o ClientAliveInterval=10 -p 2222
...
output omitted
...
Disconnecting: Timeout, your session not responding.
...
real    0m12.806s
user    0m0.280s
sys     0m0.257s

And on the client side we get something like this:

Received disconnect from 127.0.0.1: 2: Timeout, your session
not responding.
Comments:

Sun SSH does not support ServerAliveInterval -- what is the version of Open SSH that it's based on? I do a strings on /usr/bin/ssh in Solaris 10/09 and it shows OpenSSH 3.8, which is supposed to support that option, according to the OpenSSH FAQ.

Mac OS X and Ubuntu support that option, how come Sun is so behind with the commercial Solaris Sun ssh version?

TIA.
--
David Strom

Posted by David Strom on June 23, 2010 at 08:30 AM CEST #

hi David, I'm sorry but SunSSH supports the feature only in OpenSolaris. J.

Posted by Jan on June 24, 2010 at 04:00 AM CEST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Jan Pechanec

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today