SSH Debugging: Tunnel Timeout

SSH Debugging: Tunnel Timeout
Abstract:
SSH is a tool which allows for encryption of credentials as well as traffic (command line or proxied TCP streams) when attaching a session between two servers (covered in article #1.) The session can be connected automatically, through the use of shared keys (covered in article #2.) When the SSH tunnel is traversing firewalls, keep-alive traffic can be initiated, so the firewall will not terminate the tunnel due to lack of traffic (covered in this article.)

Timeout:
When SSH must pass through a firewall, it is not uncommon that the firewall may terminate sessions or sockets which pass through a firewall (juniper, firewall1, etc.) into a DMZ, when they have been idle for a period of time. This can be solved either on the client or server end. It is not necessary to add the clause to both the client and server side.


Client Timeout:
On the client machine, one can add a line to the /etc/ssh/ssh_config file, to allow the client to send a packet every 60 seconds, to keep the firewall from terminating an idle tunnel.

sun9999/root# grep ^ServerAliveInterval /etc/ssh/ssh_config
ServerAliveInterval 60

Server Timeout:
On the server machine, one can add a line to the /etc/ssh/sshd_config file, to allow the server to initiate a timeout to the client every 60 seconds, to keep the firewall from terminating an idle tunnel.

sun9999/root# grep ^ClientAliveInterval /etc/ssh/sshd_config
ClientAliveInterval 60

The SSH service must be restarted, in order to use the new settings.

sun9999/root# svcs ssh
STATE STIME FMRI
online Apr_06 svc:/network/ssh:default

sun9999/root# svcadm disable ssh
sun9999/root# svcs ssh
STATE STIME FMRI
disabled 9:52:03 svc:/network/ssh:default

sun9999/root# svcadm enable ssh
sun9999/root# svcs ssh
STATE STIME FMRI
online 9:52:08 svc:/network/ssh:default

The disable and enable is all that is required, but being a little paranoid, I prefer to see the status before and after making changes such as this to a critical access protocol.