DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 27th May 2008
Sunsawe Sunsawe is offline
Port Guard
 
Join Date: May 2008
Posts: 39
Thanked 0 Times in 0 Posts
Question sshd and timeout

Hi,

I would like to know if there is a timeout for inactivity in the sshd of FreeBSD 7.0.

Am just starting to investigate some strange things when I am trying to connect to my FreeBSD box from a uBuntu one.
After a short time of inactivity (a matter of minutes, less than 5) the ssh client is just not reacting anymore. It's not frozen, it's just that no key pressed on the keyboard is displayed or transmitted anymore. After a while, I get a connection timeout message.
Before, on my FreeBSD 6.2 box, i could let the ssh client connected for ages without any problem.

So is there a default time limit set in sshd? if yes, how to modify it?

Thanks
Reply With Quote
  #2   (View Single Post)  
Old 27th May 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

Are you passing through a home router/NAT device on the path from your ubuntu box to the FreeBSD sshd server? I've seen symptoms similar to what you are describing in that situation (but it hasn't been unique to FBSD).
__________________
Kill your t.v.
Reply With Quote
  #3   (View Single Post)  
Old 27th May 2008
Sunsawe Sunsawe is offline
Port Guard
 
Join Date: May 2008
Posts: 39
Thanked 0 Times in 0 Posts
Default

well am passing through a router set where the FreeBSD box is.
But it is a Netgear router with its own settings, I just had to transfer some ports from the router to the box via the router's interface.
Reply With Quote
  #4   (View Single Post)  
Old 28th May 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

Well, there is probably a cleverer approach, but the nasty workaround I came up with is: run some non-resource intensive command that will keep data moving across the wire at regular intervals.

e.g.
$ while true ; do clear ; w ; sleep 5 ; done

Fire that up if you're going to be away from your terminal for a couple minutes. (Make it an alias if you'd like.)

Alternatively, after logging into to your FBSD server, you could start up a screen session. If and when you're disconnected, you can just login and resume where you left off with screen -r.
__________________
Kill your t.v.
Reply With Quote
  #5   (View Single Post)  
Old 28th May 2008
Sunsawe Sunsawe is offline
Port Guard
 
Join Date: May 2008
Posts: 39
Thanked 0 Times in 0 Posts
Default

am using screen for time consuming operation but... this is very annoying. I think the time before the problem occurs is around 2 minutes. Basically, I don't even have time to check the syntax of command!

Being force to every time reconnect and re-log in is very annoying!
Reply With Quote
  #6   (View Single Post)  
Old 28th May 2008
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

/etc/ssh/sshd_config is your friend.

option: ClientAliveCountMax [integer, default: 3]

Sets the max # of client alive messages that will be sent without reply before the client is disconnected with a vengeance. Tune this with CleintAliveInterval so your clients don't get time outs to quickly.

Note: SSH2 only


option: ClientAliveInterval [integer, default: 0]

After [integer] seconds if no data is received from the client send an encrypted ping pong ball to the client asking to reply or face being terminated. The default value of 0 means sshd does not ask for if clients are still alive.

Note: SSH2 only


option TCPKeepAlive [bool, default: yes]

To send [yes] TCP keep alives to the other side of the connection or not [no]. If these are used it makes it easier to detect when client/server connections fail but it means if the network craps out for a moment your SSH session is toasted, setting it off means the session could hang.

Note: SSH1, SSH2, This does not work the same way as the ClientAlive* options !!!



When I was using a SSHFS (before I started getting system wide lockups on the client) I had to set the client alives to keep the mounts active when not in usse. In my case I adjusted the involved sshd_config files as such:

Code:
ClientAliveInterval 15
ClientAliveCountMax 45

Note from the manual page (sshd_config)
Quote:
Originally Posted by ClientAliveCountMax
The default value is 3. If ClientAliveInterval (see below) is
set to 15, and ClientAliveCountMax is left at the default, unre-
sponsive SSH clients will be disconnected after approximately 45
seconds. This option applies to protocol version 2 only.

Cheers
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
  #7   (View Single Post)  
Old 29th May 2008
Sunsawe Sunsawe is offline
Port Guard
 
Join Date: May 2008
Posts: 39
Thanked 0 Times in 0 Posts
Default

Thanks, that made it!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Openbsd 4.5 network connection timeout andrewm OpenBSD General 4 11th September 2009 02:32 AM
ILLEGAL REQUEST, PCI Error, SET_MULTI timeout - boot errors help kTk FreeBSD General 1 26th July 2008 03:34 AM
/bsd: ral0: device timeout revzalot OpenBSD General 3 22nd July 2008 10:15 PM
Error 504 gateway timeout bsdbsd FreeBSD General 0 15th June 2008 01:06 PM
Sudden SSHd restarts stukov General software and network 4 5th May 2008 06:39 PM


All times are GMT. The time now is 05:15 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick