ssh drop connection when running command with output

[Richard Harnden]

Hi,

I have /etc/ssh/sshd_config containg ...
ClientAliveCountMax 0
ClientAliveInterval 300

If I run a command that takes >300 secs and produces output then it
drops my ssh session:

$ time foo
a
b
c
d
eConnection to xxx closed by remote host.
Connection to xxx closed.

Now, if I redirect stdout it works fine:

$ time foo >foo.out

real 6m0.68s

It that to be expected?

I would kinda like to see the output as it's generated.

Thanks,
Richard

[Lew Pitcher]

On Wed, 01 Dec 2021 16:33:44 +0000, Richard Harnden wrote:

> Hi,
>
> I have /etc/ssh/sshd_config containg ...
> ClientAliveCountMax 0
> ClientAliveInterval 300
>
> If I run a command that takes >300 secs and produces output then it
> drops my ssh session:
>
> $ time foo a
> b
> c
> d
> eConnection to xxx closed by remote host.
> Connection to xxx closed.
>
> Now, if I redirect stdout it works fine:
>
> $ time foo >foo.out
>
> real 6m0.68s
>
> It that to be expected?

Given your values for ClientAliveCountMax and ClientAliveInterval,
yes, this behaviour is expected. (see sshd_config(5) for details)

You've set ClientAliveInterval to 300, telling the sshd server
to "send a message through the encrypted channel to request a
response from the client" after 300 seconds of client inactivity.

You've set ClientAliveCountMax to 0, telling the sshd server
that it may send up to zero client alive messages before
terminating the connection.

So, after 300 seconds of client inactivity, the sshd daemon
will terminate it's connection with the client.

> I would kinda like to see the output as it's generated.

So, you have two tuning "knobs" to play with here:
1) ClientAliveInterval, and
2) ClientAliveCountMax

You specifically chose to override the default values for
these two "knobs", presumably to satisfy /some/ requirement.
You can adjust one or both of these values to extend your
inactivity timeout, but we can only /guess/ as to which
value you need to tune to satisfy both your current
requirement ("I would kinda like to see the output as it's
generated" and the original requirement that made you change
the defaults values.

HTH
--
Lew Pitcher
"In Skills, We Trust"

[Richard Harnden]

Yes, but why does "tail -f foo.log" count as inactive, but "tail -f
foo.log >/dev/null" will happily run forever.

>
>> I would kinda like to see the output as it's generated.
>
> So, you have two tuning "knobs" to play with here:
> 1) ClientAliveInterval, and
> 2) ClientAliveCountMax
>
> You specifically chose to override the default values for
> these two "knobs", presumably to satisfy /some/ requirement.

The requirement is CIS Red Hat Enterprise Linux 8 Benchmark - 5.2.13
Ensure SSH Idle Timeout Interval is configured.

I'm not sure that I'll be allowed to have any choice.

> You can adjust one or both of these values to extend your
> inactivity timeout, but we can only /guess/ as to which
> value you need to tune to satisfy both your current
> requirement ("I would kinda like to see the output as it's
> generated" and the original requirement that made you change
> the defaults values.

ClientAliveCountMax 1 fixes it.

As does remembering to hit return every 299 seconds.

[Christian Weisgerber]

On 2021-12-01, Lew Pitcher <lew.p...@digitalfreehold.ca> wrote:

>> ClientAliveCountMax 0
>> ClientAliveInterval 300

>
> Given your values for ClientAliveCountMax and ClientAliveInterval,
> yes, this behaviour is expected. (see sshd_config(5) for details)

This has been changed starting from OpenSSH 8.2 (released on 2020-02-14):

Bugfixes
--------
* sshd(8): make ClientAliveCountMax=0 have sensible semantics: it
will now disable connection killing entirely rather than the
current behaviour of instantly killing the connection after the
first liveness test regardless of success. bz2627

The man page now reads
"Setting a zero ClientAliveCountMax disables connection termination."

--
Christian "naddy" Weisgerber na...@mips.inka.de

[Richard Harnden]

Thanks.

I also found this: https://bugzilla.redhat.com/show_bug.cgi?id=2008339