Attached is a patch to allow a user to turn on TCP keepalives for port
forwarded connections. It's mainly useful when the connections to the
ssh listener are coming from many different boxes, some of which
crash, leaving the service on the other side of the port forwarder
waiting on connections indefinitely.
It creates a new option named "KeepAliveForward" to control this
behavior. It's off by default for backward compatibility.
This patch was made for 2.9p2, but it applies almost perfectly to the
CVS HEAD. I would've provided a patch to CVS instead, but the HEAD
doesn't build for me at the moment.
Thoughts?
Please cc: me, I'm not on the list. Thanks.
-------------- next part --------------
--- openssh-2.9p2/channels.c.keepalivetunnel Wed Jun 13 12:18:05 2001
+++ openssh-2.9p2/channels.c Thu Aug 23 15:40:43 2001
@@ -61,6 +61,9 @@
#include "canohost.h"
#include "key.h"
#include "authfd.h"
+#include "readconf.h"
+
+extern Options options;
/* Maximum number of fake X11 displays to try. */
#define MAX_DISPLAYS 1000
@@ -765,6 +768,7 @@
int newsock, newch, nextstate;
socklen_t addrlen;
char *rtype;
+ int one = 1;
if (FD_ISSET(c->sock, readset)) {
debug("Connection to port %d forwarding "
@@ -781,6 +785,13 @@
if (newsock < 0) {
error("accept: %.100s", strerror(errno));
return;
+ }
+ /* Set keepalives if requested */
+ if (options.keepalives_forward &&
+ setsockopt(newsock, SOL_SOCKET, SO_KEEPALIVE,
+ (void *) &one, sizeof(one)) < 0)
+ {
+ error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
}
newch = channel_new(rtype,
nextstate, newsock, newsock, -1,
--- openssh-2.9p2/readconf.c.keepalivetunnel Tue Apr 17 11:11:37 2001
+++ openssh-2.9p2/readconf.c Thu Aug 23 15:42:37 2001
@@ -106,7 +106,7 @@
oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
- oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts,
+ oCompressionLevel, oKeepAlives, oKeepAlivesForward, oNumberOfPasswordPrompts,
oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
@@ -172,6 +172,7 @@
{ "compression", oCompression },
{ "compressionlevel", oCompressionLevel },
{ "keepalive", oKeepAlives },
+ { "keepaliveforward", oKeepAlivesForward },
{ "numberofpasswordprompts", oNumberOfPasswordPrompts },
{ "loglevel", oLogLevel },
{ "dynamicforward", oDynamicForward },
@@ -394,6 +395,10 @@
intptr = &options->keepalives;
goto parse_flag;
+ case oKeepAlivesForward:
+ intptr = &options->keepalives_forward;
+ goto parse_flag;
+
case oNumberOfPasswordPrompts:
intptr = &options->number_of_password_prompts;
goto parse_int;
@@ -738,6 +743,7 @@
options->strict_host_key_checking = -1;
options->compression = -1;
options->keepalives = -1;
+ options->keepalives_forward = -1;
options->compression_level = -1;
options->port = -1;
options->connection_attempts = -1;
@@ -825,6 +831,8 @@
options->compression = 0;
if (options->keepalives == -1)
options->keepalives = 1;
+ if (options->keepalives_forward == -1)
+ options->keepalives_forward = 0;
if (options->compression_level == -1)
options->compression_level = 6;
if (options->port == -1)
--- openssh-2.9p2/readconf.h.keepalivetunnel Tue Apr 17 11:11:37 2001
+++ openssh-2.9p2/readconf.h Thu Aug 23 15:40:43 2001
@@ -62,6 +62,7 @@
int compression_level; /* Compression level 1 (fast) to 9
* (best). */
int keepalives; /* Set SO_KEEPALIVE. */
+ int keepalives_forward; /* Set SO_KEEPALIVE for port forwards. */
LogLevel log_level; /* Level for logging. */
int port; /* Port to connect. */
--- openssh-2.9p2/ssh.1.keepalivetunnel Mon Apr 23 06:02:17 2001
+++ openssh-2.9p2/ssh.1 Thu Aug 23 15:40:43 2001
@@ -844,6 +844,12 @@
To disable keepalives, the value should be set to
.Dq no
in both the server and the client configuration files.
+.It Cm KeepAliveForward
+Similar to KeepAlive, but applies to port forwards
+.Pp
+The default is
+.Dq no
+(to not send keepalives)
.It Cm KerberosAuthentication
Specifies whether Kerberos authentication will be used.
The argument to this keyword must be