[PATCH] detect and kill stuck connections to clients/server
aanantha at riverbed.com
Fri Jan 8 10:17:50 WST 2010
I hacked in OpenSSH style "Server Alive" and "Client Alive" messages
In OpenSSH, the ServerAliveInterval and ServerAliveCountMax options
cause the client to send "global requests" to the server with the name
"keepalive at openssh.org" with the flag "want reply" set to 1.
When an SSH server sees the message they fail to recognize it and issue
a "failure" response to the client. It appears the OpenSSH people
purposely used a request name nobody else would use to guarantee that
the server does nothing except send back an error.
If the client does not receive ServerAliveCountMax consecutive responses
to its requests, it disconnects. The default value of
ServerAliveCountMax is 3. The interval at which the client sends
requests is controlled by ServerAliveInterval. But its default value is
0 which disables the feature.
So it's a heart beat. It lets the client know to disconnect if the
server disappears off the network.
"Client alive" works the same way. There's a ClientAliveCountMax and
ClientAliveInterval. And in this case the client responds to the
keepalive at openssh.org requests.
In dropbear, however, the "global requests" only get serviced when
ENABLE_SVR_REMOTETCPFWD is defined in because the only global requests
supported are for tcp forwarding. And the client doesn't service any
global requests. So an OpenSSH client can use server alives against a
Dropbear server if remote TCP forwarding is compiled in. But an OpenSSH
server sending client alives would very quickly disconnect a Dropbear
I patched dropbear and dbclient to always respond to global requests,
but only handle the "tcpip-forward" and "cancel-tcpip-forward" messages
when it's enabled. And like OpenSSH it sends failure for the
"ping at dropbear" requests for consistency with any other SSH server that
doesn't know what these requests are.
To turn on server/client alives, you pass the "-A" option to
dbclient/dropbear. That sets the interval. But to change the number of
responses that can be missed, you have to do that via the options.h
file. I ran out of letters in the alphabet to choose from.
I tried to avoid reorganizing the code. Which means the changes aren't
as clean as they should be. And it's not well tested so beware.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 23309 bytes
Desc: not available
Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20100107/3379575a/attachment.bin
More information about the Dropbear