4

In sshd config you can specify the option TCPKeepAlive yes. These Pakets are not encrypted so the could be spoofed. With the options 

ClientAliveInterval
ClientAliveCountMax
ServerAliveInterval
ServerAliveCountMax

you can specify the interval of the keep alive packets and the timeout (*CountMax) after which the connection is dropped. See also here What options `ServerAliveInterval` and `ClientAliveInterval` in sshd_config exactly do?

With TCPKeepAlive you can only enable it. So what is the interval for the TCP-Pakets beeing sent? After how many unsuccessful packets the connection is regarded broken and closed? Since default values are:

#TCPKeepAlive yes
#ClientAliveInterval 0
#ClientAliveCountMax 3

As far as I understand: The detection and closing of broken/inactive connections solely depends on the TCPKeepAlive option in the default configuration. So it is quite important to know that values.

Hannes
  • 345

1 Answers1

6

The reason why OpenSSH doesn't offer any tweaks for TCPKeepAlive (which is implemented by the OS) is probably because there's no portable way to change its parameters; the only portable thing is turning it on or off with setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &on_off).

On Linux, you can see (and change) the default values via the /proc filesystem, as documented in the tcp(7) manpage:

grep -T . /proc/sys/net/ipv4/tcp_keepalive*
/proc/sys/net/ipv4/tcp_keepalive_intvl: 75
/proc/sys/net/ipv4/tcp_keepalive_probes:        9
/proc/sys/net/ipv4/tcp_keepalive_time:  7200

So, it will wait 2 hours until it will consider a connection idle, and then send 9 probes at the interval of 75 seconds.

On Linux, FreeBSD and NetBSD (but not on OpenBSD) you can also change those options on a per-socket basis with setsockopt(fd, IPPROTO_TCP, TCP_KEEP{CNT,IDLE,INTVL}, &val) but, as mentioned, OpenSSH doesn't do that.