[PATCH] detect and kill stuck connections to clients/server

Ahilan Anantha aanantha at riverbed.com
Fri Jan 8 10:17:50 WST 2010

Hi folks,

I hacked in OpenSSH style "Server Alive" and "Client Alive" messages 
into dropbear.

In OpenSSH, the ServerAliveInterval and ServerAliveCountMax options 
cause the client to send "global requests" to the server with the name 
"keepalive at openssh.org" with the flag "want reply" set to 1.

When an SSH server sees the message they fail to recognize it and issue 
a "failure" response to the client. It appears the OpenSSH people 
purposely used a request name nobody else would use to guarantee that 
the server does nothing except send back an error.

If the client does not receive ServerAliveCountMax consecutive responses 
to its requests, it disconnects. The default value of 
ServerAliveCountMax is 3. The interval at which the client sends 
requests is controlled by ServerAliveInterval. But its default value is 
0 which disables the feature.

So it's a heart beat. It lets the client know to disconnect if the 
server disappears off the network.

"Client alive" works the same way. There's a ClientAliveCountMax and 
ClientAliveInterval. And in this case the client responds to the 
keepalive at openssh.org requests.

In dropbear, however, the "global requests" only get serviced when 
ENABLE_SVR_REMOTETCPFWD is defined in because the only global requests 
supported are for tcp forwarding. And the client doesn't service any 
global requests. So an OpenSSH client can use server alives against a 
Dropbear server if remote TCP forwarding is compiled in. But an OpenSSH 
server sending client alives would very quickly disconnect a Dropbear 

I patched dropbear and dbclient to always respond to global requests, 
but only handle the "tcpip-forward" and "cancel-tcpip-forward" messages 
when it's enabled. And like OpenSSH it sends failure for the 
"ping at dropbear" requests for consistency with any other SSH server that 
doesn't know what these requests are.

To turn on server/client alives, you pass the "-A" option to 
dbclient/dropbear. That sets the interval. But to change the number of 
responses that can be missed, you have to do that via the options.h 
file. I ran out of letters in the alphabet to choose from.

I tried to avoid reorganizing the code. Which means the changes aren't 
as clean as they should be. And it's not well tested so beware.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: dropbear-0.52-serveralives.patch
Type: text/x-patch
Size: 23309 bytes
Desc: not available
Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20100107/3379575a/attachment.bin 

More information about the Dropbear mailing list