User profile for user: MrFuji
MrFuji Author
User level: Level 1
0 points

Questions about configuring sshd

I checked the server admin manual and didn't find much detail on this topic. I took a look at the man page for sshd, but didn't really understand everything I read. Hoping someone here can help me understand how to configure sshd in OSX. I'm pretty new to OSX, but I have some experience working with Linux hosts. Working with sshd seems a little different on OSX.

I need to adjust the system wide setting to timeout inactive SSH sessions. Currently a stale session will hang open for ever. I need to set the timeout to 15 minutes. Where/How is this done? Is this done in /etc/ssh_config by setting a value for "ConnectTimeout?" Is this seconds or minutes?

How do you restart sshd after making changes to the config?

What is the difference between /etc/ssh_config and /etc/sshd_config?

XServe, Mac OS X (10.6.4), Snow Leopard Server

Posted on Oct 29, 2010 2:40 PM

Reply
4 replies
User profile for user: Camelot
Camelot
User level: Level 9
58,899 points

Oct 29, 2010 3:46 PM in response to MrFuji

First off, there are two config files of interest here:

/etc/ssh_config - configuration file for the ssh client
/etc/sshd_config - configuration file for the ssh server

If you make a change to sshd_config then the change will apply to all connections made to this server. Making changes to ssh_config affect outgoing connections initiated by this machine.

So the first question is which file to edit.

If you want to control this at the server side (so idle connections are terminated by the server) then edit /etc/sshd_config.

All the options are covered in the sshd_config man page:

# man sshd_config


Specifically, I think you're looking for a combination of ClientAliveInterval and ClientAliveCountMax.

ClientAliveInterval sets how frequently SSHD checks the client connection. If ClientAliveCountMax tests are performed without any response the connection is closed.

So, for your 15 minute disconnect you could set the ClientAliveInterval to 300 (5 minutes = 300 seconds), with a ClientAliveCountMax set to 3 (you don't want to set it to 15 minutes/1 Max since any temporary network delay could cause the connection to drop).

To control this from the client side, the corresponding parameters to add to /etc/ssh_config are ServerAliveInterval and ServerAliveCountMax.

How do you restart sshd after making changes to the config?


Changes are dynamic, and applied to each new connection (i.e. the next time you log in it will use the current ssh config/sshdconfig settings).
Reply
User profile for user: MrFuji
MrFuji Author
User level: Level 1
0 points

Nov 1, 2010 9:20 AM in response to Camelot

Camelot, thanks for the helpful info!
From the sshd_config man page:
ClientAliveCountMax
Sets the number of client alive messages (see below) which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session.
...
The default value is 3. If ClientAliveInterval (see below) is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds.

ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client.


Following the example from the man page, I set the ClientAliveInterval to 15 (seconds). I set the ClientAliveCountMax to 3. I initiated a new ssh session to the server and left it idle, expecting to see it disconnect after 45 seconds. However, the idle session never disconnected. Only when I set the ClientAliveCountMax to 0 did I see the idle sessions get dropped (after 15 seconds.)

I can set the ClientAliveInterval to 900 and ClientAliveCountMax to 0 to achieve the results that I'm after, but I'd really like to get clarification on why things aren't behave like I think they should. What does it mean to be an "+unresponsive SSH client+"? I assume an idle session is not the same as an unresponsive session...
Reply
User profile for user: Camelot
Camelot
User level: Level 9
58,899 points

Nov 2, 2010 4:36 PM in response to MrFuji

What were the server settings?

Remember, both sides (client and server) could have keepalive/idle timers running, and it only takes one side to keep the connection alive. In other words, if your client was tickling the server then that would generate traffic that reset the server's perception of whether the connection was idle or not.

To put it another way, if the server is generating a tickle every 30 seconds, and the client is also tickling the connection every 30 seconds then, on average, you get a tickle every 15 seconds which is enough to keep the connection alive indefinitely.

From your post it seems that got the desired result when you disabled keepalives from the server side, which implies you are relying on the client to maintain/terminate the connection state.

The solution to your question relies on balancing the server and client configurations.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Questions about configuring sshd

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up