From owner-freebsd-questions Tue Apr 23 22:14: 7 2002 Delivered-To: freebsd-questions@freebsd.org Received: from empty1.ekahuna.com (empty1.ekahuna.com [198.144.200.196]) by hub.freebsd.org (Postfix) with ESMTP id 19EC137B41E for ; Tue, 23 Apr 2002 22:13:59 -0700 (PDT) Received: from pc-02 (pc02.ekahuna.com [198.144.200.197]) by empty1.ekahuna.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with ESMTP id com; Tue, 23 Apr 2002 22:13:59 -0700 From: "Philip J. Koenig" Organization: The Electric Kahuna Organization To: FreeBSD LIST Date: Tue, 23 Apr 2002 22:13:57 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: SSH questions Reply-To: pjklist@ekahuna.com Cc: Peter Leftwich , Benjamin Krueger , Tim Erlin In-reply-to: <20020423211453.F56505@rain.macguire.net> References: <20020423235007.G58815-100000@earl-grey.cloud9.net>; from Hostmaster@Video2Video.Com on Tue, Apr 23, 2002 at 11:52:22PM -0400 X-mailer: Pegasus Mail for Win32 (v3.12c) Message-ID: <20020424051359158.AAA692@empty1.ekahuna.com@pc02.ekahuna.com> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 23 Apr 2002, at 21:14, Benjamin Krueger boldly uttered: > * Peter Leftwich (Hostmaster@Video2Video.Com) [020423 20:52]: > > On Tue, 23 Apr 2002, Philip J. Koenig wrote: > > > On 23 Apr 2002, at 7:53, Tim Erlin boldly uttered: > > > > You can run ssh with -v and get some good debug output. Might be useful. --Tim > > > Indeed it may be. Here's what I see when the session disconnects: > > > > I use the command `ssh -l username -C domain.net` but find the -v flag > > interesting... does ssh report the verbose stuff when the user "ends" the > > ssh session (hits Ctrl-D at the remote site)? > > > > > $ Read from remote host host.example.com: Connection reset by peer > > > Connection to host.example.com closed. > > > debug: Transferred: stdin 0, stdout 29815, stderr 128 bytes in 861.7 seconds > > > debug: Bytes per second: stdin 0.0, stdout 34.6, stderr 0.1 > > > debug: Exit status -1 > > > > > > So I get a couple of things. The session lasted about 14 mins (maybe there's a 10 min idle timer?), > > >the Connection reset by peer message, and the "Exit status -1". > > > Does this tell us much? > > A lot of commercial ISPs with unix logins have idle timers that kick you > > off. You may be able to get away with a shell script that types a "." > > every 1 minute to prevent getting kicked. I administer the boxes on both ends and there is no idle timer that *I've* ever put in place. > A unix idle timer wouldn't drop the connection such that your client would > report "Connection reset by peer". My first thought would be to ask whether > you or the ISP are running NAT anywhere. NAT systems are nearly always set to > drop inactive connections after a certain period of time to keep the state > table from filling up (and thus stopping new connections from being used). The > best way to combat this is not to raise the limit on the NAT, but to use the > built in keepalive feature that your ssh client provides. Both boxes are running static, routable IP addresses. Any ideas what "exit status -1" means? Unexpected termination of session? Here's part of the sshd manpage from both the openssh site and FreeBSD 4.5-STABLE, stuff that isn't in the FreeBSD sshd manpage for 4.3-STABLE: > ClientAliveInterval > Sets a timeout interval in seconds after which if no data has > been received from the client, sshd will send a message through > the encrypted channel to request a response from the client. The > default is 0, indicating that these messages will not be sent to > the client. This option applies to protocol version 2 only. > > ClientAliveCountMax > Sets the number of client alive messages (see above) which may be > sent without sshd receiving any message back from the client. If > this threshold is reached while client alive messages are being > sent, sshd will disconnect the client, terminating the session. > It is important to note that the use of client alive messages is > very different from KeepAlive (below). The client alive messages > are sent through the encrypted channel and therefore will not be > spoofable. The client alive mechanism is valuable when the client > or server depend on knowing when a connection has become inac- > tive. > [...] There is also some discussion in their list archive about this, and in looking at it I wouldn't be surprised if it's the firewall timing out the session: http://marc.theaimsgroup.com/?l=openssh-unix-dev&w=2&r=1&s=Connection+reset+by+peer&q=b The fact that my 4.3 box doesn't have a "ClientAliveInterval" option in its config files leads to the conclusion that feature is missing, and if set appropriately (after upgrade to a version that supports it) perhaps it would keep the connection open? It appears that KeepAlive messages are sent by default, but in the old version of SSH on the 4.3 box, there appears to be no way to set what the interval is. If the interval is longer than my firewall session timeout, the session would close. FWIW, it looks like there has been some recent patch to Open SSHD to add an "idle timeout" feature: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=99808588904353&w=2 -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message