Hi,

I have /etc/ssh/sshd_config containg ...
ClientAliveCountMax 0
ClientAliveInterval 300

If I run a command that takes >300 secs and produces output then it
drops my ssh session:

$ time foo
a b
c d
eConnection to xxx closed by remote host.
Connection to xxx closed.

Now, if I redirect stdout it works fine:

$ time foo >foo.out

real 6m0.68s

It that to be expected?

I would kinda like to see the output as it's generated.

Thanks,
Richard

On Wed, 01 Dec 2021 16:33:44 +0000, Richard Harnden wrote:

> Hi,
>
> I have /etc/ssh/sshd_config containg ...
> ClientAliveCountMax 0
> ClientAliveInterval 300
>
> If I run a command that takes >300 secs and produces output then it
> drops my ssh session:
>
> $ time foo a
> b
> c
> d
> eConnection to xxx closed by remote host.
> Connection to xxx closed.
>
> Now, if I redirect stdout it works fine:
>
> $ time foo >foo.out
>
> real 6m0.68s
>
> It that to be expected?

Given your values for ClientAliveCountMax and ClientAliveInterval,
yes, this behaviour is expected. (see sshd_config(5) for details)

You've set ClientAliveInterval to 300, telling the sshd server
to "send a message through the encrypted channel to request a
response from the client" after 300 seconds of client inactivity.

You've set ClientAliveCountMax to 0, telling the sshd server
that it may send up to zero client alive messages before
terminating the connection.

So, after 300 seconds of client inactivity, the sshd daemon
will terminate it's connection with the client.

> I would kinda like to see the output as it's generated.

So, you have two tuning "knobs" to play with here:
1) ClientAliveInterval, and
2) ClientAliveCountMax

You specifically chose to override the default values for
these two "knobs", presumably to satisfy /some/ requirement.
You can adjust one or both of these values to extend your
inactivity timeout, but we can only /guess/ as to which
value you need to tune to satisfy both your current
requirement ("I would kinda like to see the output as it's
generated" and the original requirement that made you change
the defaults values.

HTH
--
Lew Pitcher
"In Skills, We Trust"

On 01/12/2021 17:02, Lew Pitcher wrote:
> On Wed, 01 Dec 2021 16:33:44 +0000, Richard Harnden wrote:
>
>> Hi,
>>
>> I have /etc/ssh/sshd_config containg ...
>> ClientAliveCountMax 0
>> ClientAliveInterval 300
>>
>> If I run a command that takes >300 secs and produces output then it
>> drops my ssh session:
>>
>> $ time foo a
>> b
>> c
>> d
>> eConnection to xxx closed by remote host.
>> Connection to xxx closed.
>>
>> Now, if I redirect stdout it works fine:
>>
>> $ time foo >foo.out
>>
>> real 6m0.68s
>>
>> It that to be expected?
>
> Given your values for ClientAliveCountMax and ClientAliveInterval,
> yes, this behaviour is expected. (see sshd_config(5) for details)
>
> You've set ClientAliveInterval to 300, telling the sshd server
> to "send a message through the encrypted channel to request a
> response from the client" after 300 seconds of client inactivity.
>
> You've set ClientAliveCountMax to 0, telling the sshd server
> that it may send up to zero client alive messages before
> terminating the connection.
>
> So, after 300 seconds of client inactivity, the sshd daemon
> will terminate it's connection with the client.

Yes, but why does "tail -f foo.log" count as inactive, but "tail -f
foo.log >/dev/null" will happily run forever.

>
>> I would kinda like to see the output as it's generated.
>
> So, you have two tuning "knobs" to play with here:
> 1) ClientAliveInterval, and
> 2) ClientAliveCountMax
>
> You specifically chose to override the default values for
> these two "knobs", presumably to satisfy /some/ requirement.

The requirement is CIS Red Hat Enterprise Linux 8 Benchmark - 5.2.13
Ensure SSH Idle Timeout Interval is configured.

I'm not sure that I'll be allowed to have any choice.

> You can adjust one or both of these values to extend your
> inactivity timeout, but we can only /guess/ as to which
> value you need to tune to satisfy both your current
> requirement ("I would kinda like to see the output as it's
> generated" and the original requirement that made you change
> the defaults values.

ClientAliveCountMax 1 fixes it.

As does remembering to hit return every 299 seconds.

On 2021-12-01, Lew Pitcher <lew.pitcher@digitalfreehold.ca> wrote:

>> ClientAliveCountMax 0
>> ClientAliveInterval 300
>
> Given your values for ClientAliveCountMax and ClientAliveInterval,
> yes, this behaviour is expected. (see sshd_config(5) for details)

This has been changed starting from OpenSSH 8.2 (released on 2020-02-14):

Bugfixes
--------
* sshd(8): make ClientAliveCountMax=0 have sensible semantics: it
will now disable connection killing entirely rather than the
current behaviour of instantly killing the connection after the
first liveness test regardless of success. bz2627

The man page now reads
"Setting a zero ClientAliveCountMax disables connection termination."

--
Christian "naddy" Weisgerber naddy@mips.inka.de

On 01/12/2021 18:53, Christian Weisgerber wrote:
> On 2021-12-01, Lew Pitcher <lew.pitcher@digitalfreehold.ca> wrote:
>
>>> ClientAliveCountMax 0
>>> ClientAliveInterval 300
>>
>> Given your values for ClientAliveCountMax and ClientAliveInterval,
>> yes, this behaviour is expected. (see sshd_config(5) for details)
>
> This has been changed starting from OpenSSH 8.2 (released on 2020-02-14):
>
> Bugfixes
> --------
> * sshd(8): make ClientAliveCountMax=0 have sensible semantics: it
> will now disable connection killing entirely rather than the
> current behaviour of instantly killing the connection after the
> first liveness test regardless of success. bz2627
>
> The man page now reads
> "Setting a zero ClientAliveCountMax disables connection termination."
>

Thanks.

I also found this: https://bugzilla.redhat.com/show_bug.cgi?id=2008339