Getting dbclient to time out when network goes down with reverse proxy usage
Matt Johnston
matt at ucc.asn.au
Wed Jul 9 00:21:52 WST 2014
On Fri, Jul 04, 2014 at 03:57:09AM -0700, Jesse Molina wrote:
>
> Note that I have "ClientAliveInterval 15" set on the sshd_config
> server side. I would expect dropbear to count this traffic towards
> -I.
>
> Without -I above, it took my device 18 minutes to figure out that I
> had pulled the network out from under it by shutting down the
> interface. That isn't acceptable.
>
> Can dropbear do this, or do I need to use openssh? I get the
> feeling after reading what I have read that dropbear is too simple
> to figure out when the server has gone away in most situations.
I've now made "-K" do the same as OpenSSH's
ServerAliveInterval/ClientAliveInterval. CountMax is
hardcoded to 3 in options.h - I don't think that needs to be
a runtime setting. I've only given it brief testing, it
might need some more attention to cases such as clients
being suspended (laptop lid shuts).
https://secure.ucc.asn.au/hg/dropbear/rev/a0819ecfee0b
I don't _think_ anyone really desired the old -K behaviour
of sending keepalives but not caring about the response - it
can still be used to keep a NAT session open, and if you've
gone that long without a response then the session is
probably dead anyway. Someone please correct me if I'm
mistaken.
-I deliberately ignores keepalive traffic to avoid bad
interactions. I think that's desirable.
For reference the issue Fabrizio had with OpenSSH
ClientAliveInterval looks like it was fixed in OpenSSH 4.9
https://bugzilla.mindrot.org/show_bug.cgi?id=1307
I've also made Dropbear send a SSH_MSG_REQUEST_FAILURE
response as suggested in Ahilan's reply - better late than
never!
https://www.mail-archive.com/[email protected]/msg00711.html
Cheers,
Matt
More information about the Dropbear
mailing list