Getting dbclient to time out when network goes down with reverse proxy usage

Matt Johnston matt at ucc.asn.au
Wed Jul 9 00:21:52 WST 2014


On Fri, Jul 04, 2014 at 03:57:09AM -0700, Jesse Molina wrote:
> 
> Note that I have "ClientAliveInterval 15" set on the sshd_config
> server side. I would expect dropbear to count this traffic towards
> -I.
> 
> Without -I above, it took my device 18 minutes to figure out that I
> had pulled the network out from under it by shutting down the
> interface. That isn't acceptable.
> 
> Can dropbear do this, or do I need to use openssh?  I get the
> feeling after reading what I have read that dropbear is too simple
> to figure out when the server has gone away in most situations.

I've now made "-K" do the same as OpenSSH's
ServerAliveInterval/ClientAliveInterval. CountMax is
hardcoded to 3 in options.h - I don't think that needs to be
a runtime setting. I've only given it brief testing, it
might need some more attention to cases such as clients
being suspended (laptop lid shuts).
https://secure.ucc.asn.au/hg/dropbear/rev/a0819ecfee0b

I don't _think_ anyone really desired the old -K behaviour
of sending keepalives but not caring about the response - it
can still be used to keep a NAT session open, and if you've
gone that long without a response then the session is
probably dead anyway. Someone please correct me if I'm
mistaken.

-I deliberately ignores keepalive traffic to avoid bad
interactions. I think that's desirable.

For reference the issue Fabrizio had with OpenSSH
ClientAliveInterval looks like it was fixed in OpenSSH 4.9
https://bugzilla.mindrot.org/show_bug.cgi?id=1307
I've also made Dropbear send a SSH_MSG_REQUEST_FAILURE
response as suggested in Ahilan's reply - better late than
never!
https://www.mail-archive.com/[email protected]/msg00711.html

Cheers,
Matt


More information about the Dropbear mailing list