bugzilla-daemon at bugzilla.mindrot.org
2016-May-26 03:12 UTC
[Bug 2572] New: dead sessions aren't closed despite ClientAlive enabled
https://bugzilla.mindrot.org/show_bug.cgi?id=2572 Bug ID: 2572 Summary: dead sessions aren't closed despite ClientAlive enabled Product: Portable OpenSSH Version: 3.7.1p2 Hardware: All OS: Linux Status: NEW Severity: major Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: calestyo at scientia.net Hi. I'm experiencing the following every now and then: A ssh session somehow gets stuck and never gets closed despite ClientAlive messages being enabled. Unfortunately I do not know how to reproduce it, nor did I found any other indicative log messages or so. It happens with the Debian sid version of ssh, but I think I experience it since 6.9 (I think it wasn't happening in 6.8) - but maybe I mix things up here. systemd is used sshd run in daemon mode. I have amongst other the following set in sshd_config: ClientAliveInterval 15 ClientAliveCountMax 8 TCPKeepAlive no AFAIU, ClientAlive messages should do more or less the same just not on the TCP level but within the encrypted SSH connection. So if that is gone and the client doesn't reply anymore, I'd expect sshd to kill the connection. A current example shows me: # w 05:08:19 up 2 days, 5:19, 3 users, load average: 0,00, 0,05, 0,05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 141.[snipsnap] Tue14 39:08m 0.23s 0.23s -bash root pts/1 142.[snipsnap] Tue14 38:04m 0.23s 0.23s -bash root pts/2 2001:[snipsnap] 01:36 1.00s 0.34s 0.00s w The ones on pts 0 and 1 are dead (they were made from the same laptop that makes the connection to 2, just from another network, and the laptop has been rebooted several times since then. # netstat --inet --inet6 -pn | grep ssh tcp 0 0 85.[snipsnap]:22 141.[snipsnap]:34016 ESTABLISHED 15847/sshd: root at pt tcp 0 0 85.[snipsnap]:22 142.[snipsnap]:51726 ESTABLISHED 17000/sshd: root at pt tcp6 0 276 2a01:[snipsnap]:46538 ESTABLISHED 29362/sshd: root at pt interestingly, the kernel doesn't kill of the connections either, despite them being definitely gone Any ideas how to further debug that? Thanks, Chris. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-May-26 22:54 UTC
[Bug 2572] dead sessions aren't closed despite ClientAlive enabled
https://bugzilla.mindrot.org/show_bug.cgi?id=2572 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au Version|3.7.1p2 |6.9p1 --- Comment #1 from Darren Tucker <dtucker at zip.com.au> --- If you have time based rekeying enabled, maybe this: https://anongit.mindrot.org/openssh.git/commit/?id=988e429d903acfb298bfddfd75e7994327adfed0 Failing that, setting "LogLevel debug3" in sshd_config would give some clues (but would be very noisy). -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jun-03 19:13 UTC
[Bug 2572] dead sessions aren't closed despite ClientAlive enabled
https://bugzilla.mindrot.org/show_bug.cgi?id=2572 --- Comment #2 from Christoph Anton Mitterer <calestyo at scientia.net> --- With timebased re-keying you mean e.g.: /etc/ssh$ grep -i rekey *config ssh_config:RekeyLimit default 1h sshd_config:RekeyLimit default 1h (which are also the values I've set it with). Apart from that, I'll try to make your logs later,... unfortunately I cannot easily reproduce all different kinds of situations in which this problem happens (maybe they're all the same problem, maybe not), but simply disconnecting the network seems to be one case. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-20 01:03 UTC
[Bug 2572] dead sessions aren't closed despite ClientAlive enabled
https://bugzilla.mindrot.org/show_bug.cgi?id=2572 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |DUPLICATE Status|NEW |RESOLVED --- Comment #4 from Darren Tucker <dtucker at zip.com.au> --- We believe this is a duplicate of bug#2252, the fix for which will be in the 7.3 release. If 7.3 doesn't fix it (you could try a snapshot now) then please reopen this bug. Thanks. *** This bug has been marked as a duplicate of bug 2252 *** -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-20 01:21 UTC
[Bug 2572] dead sessions aren't closed despite ClientAlive enabled
https://bugzilla.mindrot.org/show_bug.cgi?id=2572 --- Comment #5 from Christoph Anton Mitterer <calestyo at scientia.net> --- Hey. Sorry that I somehow completely forgot my promise to produce the logs with the patch :-( I think it's best now to simply wait until 7.3 hits Debian, an in case the I'd notice the issue again after that, I'd simply reopen :-) Cheers and thanks, Chris. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-02 00:41 UTC
[Bug 2572] dead sessions aren't closed despite ClientAlive enabled
https://bugzilla.mindrot.org/show_bug.cgi?id=2572 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #6 from Damien Miller <djm at mindrot.org> --- Close all resolved bugs after 7.3p1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Possibly Parallel Threads
- [Bug 2252] New: RekeyLimit breaks ClientAlive
- [Bug 2573] New: dead sessions cannot be closed with ~.
- Idletimeout patch
- two tellabs 2572 echo board in a 253c mounting assembly?
- ssh client does not timeout if the network fails after ssh_connect but before ssh_exchange_identification, even with Alive options set