I'm sending this only to openssh-unix-dev at mindrot.org (since I'm
using
the ported version of OpenSSH) and not to openssh at openssh.com, even
though I believe this to be a general problem. Please advise if you
think I should redirect this to the other mailing list.
Version: OpenSSH_2.2.0p1
Keywords: setsockopt keepalive hang masquerade
Symptom: For protocol 2, socket options (especially keepalive) are not
being properly set for OpenSSH_2.2.0p1 (Redhat 7.0 distribution).
I believe this to be a general problem that is not specific to
the portable version of OpenSSH.
Function packet_set_interactive is intended to be called to set socket
options that are desired for interactive sessions. TCP keepalive
messages are included in the socket options set, although they more
properly ought to be elsewhere (as they are not related to interactivity).
The problem: Function set_packet_set_interactive is never called for
protocol 2 connections -- only for protocol 1. This is the case for
both ssh and sshd.
Specifically, for sshd protocol 1 connections, function calls
are made:
main to
do_authentication to
do_authenticated to
packet_set_interactive
For sshd protocol 2 connections, function calls are made:
main to
do_authentication2 to
do_authenticated2
which does not call packet_set_interactive.
For ssh protocol 1 connections, packet_set_interactive is called
from ssh_session. For protocol 2, the corresponding function
ssh_session2 makes no call to packet_set_interactive.
----------------
I haven't delved into the protocol specifications, so if protocol
2 lacks an obvious way to determine if a connection is "interactive",
then so be it. However, the keepalive value ought to be set in
any case.
My suggestions:
1. Move keepalive setsockopt out of packet_set_interactive, as
it's not related to interactive vs non-interactive. Instead,
make the keepalive setsockopt call in:
ssh -- in sshconnect.c, after the setsockopt for SO_LINGER,
right before call to packet_set_connection.
sshd -- in sshd.c, after the setsockopt for SO_LINGER.
2. Secondarily, for ssh and sshd, ensure packet_set_interactive is
called for ssh2 also if appropriate.
-----------------------
As an aside (as information for anyone else with the same problem), I
need keepalives to keep my connections from hanging after thirty minutes
due to an ISP (Cox at work) router that is masquerading IP addresses for
my local network. This router apparently drops the masquerade table
entries after 30 minutes of inactivity. (Then, in response to any further
activity from the client it just sends TCP resets, which generally leaves
the connected incarnation of sshd hung until killed).
My solution to that problem is to change the default keepalive time
on my Linux system from 120 minutes to 20 minutes (1200 seconds) via
echo 1200 > /proc/sys/net/ipv4/tcp_keepalive_time
and then depend on sshd keepalives to avoid inactivity.
