Changing SSH Timeout

#1
Hey Guys,

How do I change the standard timeout time for SSH? Currently it seems to be around 2 minutes. I'd like to change it from the server side, not the client side. When I connect to our boxes at work SSH never times out.
 

Caleb

McDonald's Drywall Expert
#2
Edit your ssh_config file (usually found in /etc/ssh/ssh_config)

to include 'ConnectTimeout 0'

without the quotes


-Caleb
 
#3
Edit your ssh_config file (usually found in /etc/ssh/ssh_config)

to include 'ConnectTimeout 0'

without the quotes


-Caleb
No go:

[root@host ~]# sudo /sbin/service sshd start
Starting sshd:/etc/ssh/sshd_config: line 115: Bad configuration option: ConnectTimeout
/etc/ssh/sshd_config: terminating, 1 bad configuration options
[FAILED]
 

KH-Paul

CTO
Staff member
#5
There is no ConnectTimeout option according to "man sshd_config", which is why it isn't recognized.
With 2 minute timeout are you referring to login timeout (i.e. time between connection is established and valid username / password is entered) or to something else? If you're reffering to login timeout, then correct option name would be "LoginGraceTime", here is a copy & paste from "man sshd_config":

LoginGraceTime
The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 120 seconds.
Regards,
Paul
 
#6
There is no ConnectTimeout option according to "man sshd_config", which is why it isn't recognized.
With 2 minute timeout are you referring to login timeout (i.e. time between connection is established and valid username / password is entered) or to something else? If you're reffering to login timeout, then correct option name would be "LoginGraceTime", here is a copy & paste from "man sshd_config":



Regards,
Paul
Hi Paul - I'm referring to the ssh session getting disconnected when my SecureCRT client is idle. It seems to be very short right now, like 2 minutes. I'd like to extend it to around 120 minutes. When I'm getting disconnected I am already logged in and at the prompt. TIA.
 
#7
Seems like I need to setup one of these... just not sure what I should set the variables to:

ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a mes-
sage through the encrypted channel to request a response from the client. The default is 0, indicating that these
messages will not be sent to the client. This option applies to protocol version 2 only.

ClientAliveCountMax
Sets the number of client alive messages (see above) which may be sent without sshd receiving any messages back from
the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the
client, terminating the session. It is important to note that the use of client alive messages is very different
from TCPKeepAlive (below). The client alive messages are sent through the encrypted channel and therefore will not
be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valu-
able when the client or server depend on knowing when a connection has become inactive.

The default value is 3. If ClientAliveInterval (above) is set to 15, and ClientAliveCountMax is left at the
default, unresponsive ssh clients will be disconnected after approximately 45 seconds.

TCPKeepAlive
Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the
connection or crash of one of the machines will be properly noticed. However, this means that connections will die
if the route is down temporarily, and some people find it annoying. On the other hand, if TCP keepalives are not
sent, sessions may hang indefinitely on the server, leaving "ghost" users and consuming server resources.

The default is "yes" (to send TCP keepalive messages), and the server will notice if the network goes down or the
client host crashes. This avoids infinitely hanging sessions.

To disable TCP keepalive messages, the value should be set to "no".
 

KH-Paul

CTO
Staff member
#8
I bet this isn't related to sshd configuration - it doesn't kill connections after such short period of time. I guess connection gets terminated by your OS or your router/NAT device. Try to check router configuration to find out if you can adjust connection timeout there.
I'm not very familiar with SecureCRT but in Putty you can setup keep alive timeout which will prevent session from being killed by OS / router. Alternatively you may want to take a look at the following sshd options to initiate session keepalive packets from the server side. Please note that these options will affect every single ssh connection on your system.

Code:
     ClientAliveInterval
             Sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to
             request a response from the client.  The default is 0, indicating that these messages will not be sent to the client.  This option applies to protocol ver-
             sion 2 only.

     ClientAliveCountMax
             Sets the number of client alive messages (see above) which may be sent without sshd receiving any messages back from the client.  If this threshold is
             reached while client alive messages are being sent, sshd will disconnect the client, terminating the session.  It is important to note that the use of
             client alive messages is very different from TCPKeepAlive (below).  The client alive messages are sent through the encrypted channel and therefore will not
             be spoofable.  The TCP keepalive option enabled by TCPKeepAlive is spoofable.  The client alive mechanism is valuable when the client or server depend on
             knowing when a connection has become inactive.

             The default value is 3.  If ClientAliveInterval (above) is set to 15, and ClientAliveCountMax is left at the default, unresponsive ssh clients will be dis-
             connected after approximately 45 seconds.
Regards,
Paul
 
#9
I bet this isn't related to sshd configuration - it doesn't kill connections after such short period of time. I guess connection gets terminated by your OS or your router/NAT device. Try to check router configuration to find out if you can adjust connection timeout there.
I'm not very familiar with SecureCRT but in Putty you can setup keep alive timeout which will prevent session from being killed by OS / router. Alternatively you may want to take a look at the following sshd options to initiate session keepalive packets from the server side. Please note that these options will affect every single ssh connection on your system.

Code:
     ClientAliveInterval
             Sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to
             request a response from the client.  The default is 0, indicating that these messages will not be sent to the client.  This option applies to protocol ver-
             sion 2 only.

     ClientAliveCountMax
             Sets the number of client alive messages (see above) which may be sent without sshd receiving any messages back from the client.  If this threshold is
             reached while client alive messages are being sent, sshd will disconnect the client, terminating the session.  It is important to note that the use of
             client alive messages is very different from TCPKeepAlive (below).  The client alive messages are sent through the encrypted channel and therefore will not
             be spoofable.  The TCP keepalive option enabled by TCPKeepAlive is spoofable.  The client alive mechanism is valuable when the client or server depend on
             knowing when a connection has become inactive.

             The default value is 3.  If ClientAliveInterval (above) is set to 15, and ClientAliveCountMax is left at the default, unresponsive ssh clients will be dis-
             connected after approximately 45 seconds.
Regards,
Paul
It's not a client side issue as I can connect to my work machines in our staging environments and it never disconnects me. I know that I could setup some kind of keep alive from my client but I'd rather have it done on the server side. I turned on TCPKeepAlive so we'll see if that resolves the issue. I have no idea how to deal with the Router/NAT in linux :).

Thanks and I hope this information is useful for other users.
 
#11
Ok guys I think I got it.

Leave TCPKeepAlive commented out.

Uncomment:
ClientAliveInterval 3600
ClientAliveCountMax 1

ClientAliveInterval x ClientAliveCountMax = total amount of time before your session is disconnected. 1 hour in the example above.
 

Caleb

McDonald's Drywall Expert
#13
I would also like to know a solution for this. It seems I only have this issue with knownhost. I get disconnected fairly quickly.


-Caleb
 
Top