Exploring ServerAliveInterval ClientAliveInterval in SSH

Updated: Aug 8

The ssh connection timeout due to inactivity is annoying and won’t let us focus on doing our tasks. Today we will dive into this issue to check how to increase SSH connection timeout in Linux.



ServerAliveInterval ClientAliveInterval meaning

First, let us look at what ServerAliveInterval and ClientAliveInterval mean in SSH configuration.


  • ServerAliveInterval: this is the interval when the client sends the probe message to the server.

  • ClientAliveInterval: this is the interval when the server sends the probe message to the client.

The following items are related to this issue in Linux.

  • client: ~/.ssh/ssh_config

  • server:/etc/ssh/sshd_config

  • TMOUT on the server side: a bash variable to auto-logout Linux users when there isn’t any activity.



Configure SSH Timeout on Client Side

User shell timeout value TMOUT on the server-side:

TMOUT=600

Client:

host *
    ServerAliveInterval 20
    ServerAliveCountMax 100
    TCPKeepAlive yes

Server:

# TCPKeepAlive yes
ClientAliveInterval 300
ClientAliveCountMax 3

In this configuration, the ssh timeout value is 600s which is 10 minutes.



Feb 26 02:36:51 hostname sshd[127463]: Accepted keyboard-interactive/pam for test from 10.79.102.248 port 61622 ssh2
Feb 26 02:36:51 hostname sshd[127463]: pam_unix(sshd:session): session opened for user test by (uid=0)
Feb 26 02:46:51 hostname sshd[127463]: pam_unix(sshd:session): session closed for user test

We can see that client sends probe data to the server every 20s which is the ServerAliveInterval from the following packets.

10:37:11.741159 IP 10.79.102.248.61622 > 10.124.202.230.ssh: Flags [P.], seq 2770:2822, ack 3790, win 2048, options [nop,nop,TS val 2022184725 ecr 1297845101], length 52
10:37:11.767047 IP 10.124.202.230.ssh > 10.79.102.248.61622: Flags [P.], seq 3790:3818, ack 2822, win 287, options [nop,nop,TS val 1297865128 ecr 2022184725], length 28
10:37:11.767183 IP 10.79.102.248.61622 > 10.124.202.230.ssh: Flags [.], ack 3818, win 2047, options [nop,nop,TS val 2022184750 ecr 1297865128], length 0
10:37:31.769396 IP 10.79.102.248.61622 > 10.124.202.230.ssh: Flags [P.], seq 2822:2874, ack 3818, win 2048, options [nop,nop,TS val 2022204561 ecr 1297865128], length 52
10:37:31.789991 IP 10.124.202.230.ssh > 10.79.102.248.61622: Flags [P.], seq 3818:3846, ack 2874, win 287, options [nop,nop,TS val 1297885154 ecr 2022204561], length 28
10:37:31.790058 IP 10.79.102.248.61622 > 10.124



Configure SSH Timeout On Server Side

User shell timeout value TMOUT on the server-side:

TMOUT=600

Client:

host *
#    ServerAliveInterval 20
#    ServerAliveCountMax 100
#    TCPKeepAlive yes

Server:


# TCPKeepAlive yes
ClientAliveInterval 100
ClientAliveCountMax 3

In this configuration, the server will send the ssh probe packets every 100s. The ssh timeout value is still 600s.




17:13:26.391546 IP 10.124.202.230.ssh > 10.79.109.185.53650: Flags [P.], seq 3353822173:3353822233, ack 532087736, win 287, options [nop,nop,TS val 1321639748 ecr 2045603805], length 60
17:13:26.391630 IP 10.79.109.185.53650 > 10.124.202.230.ssh: Flags [.], ack 60, win 2047, options [nop,nop,TS val 2045703098 ecr 1321639748], length 0
17:13:26.391814 IP 10.79.109.185.53650 > 10.124.202.230.ssh: Flags [P.], seq 1:37, ack 60, win 2048, options [nop,nop,TS val 2045703098 ecr 1321639748], length 36
17:13:26.411743 IP 10.124.202.230.ssh > 10.79.109.185.53650: Flags [.], ack 37, win 287, options [nop,nop,TS val 1321639769 ecr 2045703098], length 0
17:15:06.431196 IP 10.124.202.230.ssh > 10.79.109.185.53650: Flags [P.], seq 60:120, ack 37, win 287, options [nop,nop,TS val 1321739769 ecr 2045703098], length 60
17:15:06.431284 IP 10.79.109.185.53650 > 10.124.202.230.ssh: Flags [.], ack 120, win 2047, options [nop,nop,TS val 2045802573 ecr 1321739769], length 0
17:15:06.431406 IP 10.79.109.185.53650 > 10.124.202.230.ssh: Flags [P.], seq 37:73, ack 120, win 2048, options [nop,nop,TS val 2045802573 ecr 1321739769], length 36
17:15:06.452580 IP 10.124.202.230.ssh > 10.79.109.185.53650: Flags [.], ack 73, win 287, options [nop,nop,TS val 1321739806 ecr 2045802573], length 0



Recommended Steps to increase SSH connection timeout

We can use the following way to increase the SSH connection timeout in Linux.

  1. add ServerAliveInterval 20 and ServerAliveCountMax 100 on client-side in file ~/.ssh/ssh_config or we can add them to command line like this $ ssh -o ServerAliveInterval=20 -o ServerAliveCountMax=100 user@example.com

  2. change TMOUT variable on server-side with the following command.

Commands to change TMOUT value on server side

  • TMOUT=600 ( this is 10 minutes).

  • export TMOUT

  • echo $TMOUT

This will keep the SSH connection alive for 10 minutes. We can change TMOUT value for a longer SSH connection timeout value if needed.

Related:

Which SSH Key Is More Secure in Linux?

Filtering SSH Packets with Tcpdump

Setup SSH Keys to Login Linux Without Password





199 views
屏幕快照 2021-08-08 下午5.16.32.png