Commit affb41e3 authored by Richard Kettlewell's avatar Richard Kettlewell Committed by Colin Watson

Various keepalive extensions

Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
in previous versions of Debian's OpenSSH package but since superseded by
ServerAliveInterval.  (We're probably stuck with this bit for
compatibility.)

In batch mode, default ServerAliveInterval to five minutes.

Adjust documentation to match and to give some more advice on use of
keepalives.

Author: Ian Jackson <ian@chiark.greenend.org.uk>
Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2013-09-14

Patch-Name: keepalive-extensions.patch
parent 4c7ed5c8
......@@ -141,6 +141,7 @@ typedef enum {
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
oProtocolKeepAlives, oSetupTimeOut,
oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;
......@@ -263,6 +264,8 @@ static struct {
{ "ipqos", oIPQoS },
{ "requesttty", oRequestTTY },
{ "ignoreunknown", oIgnoreUnknown },
{ "protocolkeepalives", oProtocolKeepAlives },
{ "setuptimeout", oSetupTimeOut },
{ NULL, oBadOption }
};
......@@ -939,6 +942,8 @@ parse_int:
goto parse_flag;
case oServerAliveInterval:
case oProtocolKeepAlives: /* Debian-specific compatibility alias */
case oSetupTimeOut: /* Debian-specific compatibility alias */
intptr = &options->server_alive_interval;
goto parse_time;
......@@ -1404,8 +1409,13 @@ fill_default_options(Options * options)
options->rekey_interval = 0;
if (options->verify_host_key_dns == -1)
options->verify_host_key_dns = 0;
if (options->server_alive_interval == -1)
options->server_alive_interval = 0;
if (options->server_alive_interval == -1) {
/* in batch mode, default is 5mins */
if (options->batch_mode == 1)
options->server_alive_interval = 300;
else
options->server_alive_interval = 0;
}
if (options->server_alive_count_max == -1)
options->server_alive_count_max = 3;
if (options->control_master == -1)
......
......@@ -136,8 +136,12 @@ Valid arguments are
If set to
.Dq yes ,
passphrase/password querying will be disabled.
In addition, the
.Cm ServerAliveInterval
option will be set to 300 seconds by default.
This option is useful in scripts and other batch jobs where no user
is present to supply the password.
is present to supply the password,
and where it is desirable to detect a broken network swiftly.
The argument must be
.Dq yes
or
......@@ -1141,8 +1145,15 @@ from the server,
will send a message through the encrypted
channel to request a response from the server.
The default
is 0, indicating that these messages will not be sent to the server.
is 0, indicating that these messages will not be sent to the server,
or 300 if the
.Cm BatchMode
option is set.
This option applies to protocol version 2 only.
.Cm ProtocolKeepAlives
and
.Cm SetupTimeOut
are Debian-specific compatibility aliases for this option.
.It Cm StrictHostKeyChecking
If this flag is set to
.Dq yes ,
......@@ -1181,6 +1192,12 @@ Specifies whether the system should send TCP keepalive messages to the
other side.
If they are sent, death of the connection or crash of one
of the machines will be properly noticed.
This option only uses TCP keepalives (as opposed to using ssh level
keepalives), so takes a long time to notice when the connection dies.
As such, you probably want
the
.Cm ServerAliveInterval
option as well.
However, this means that
connections will die if the route is down temporarily, and some people
find it annoying.
......
......@@ -1161,6 +1161,9 @@ This avoids infinitely hanging sessions.
.Pp
To disable TCP keepalive messages, the value should be set to
.Dq no .
.Pp
This option was formerly called
.Cm KeepAlive .
.It Cm TrustedUserCAKeys
Specifies a file containing public keys of certificate authorities that are
trusted to sign user certificates for authentication.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment