First release: Apr 8, 2001
Last modified: Sep 11, 2004
English | Japanese
Here is a free patch for OpenSSH (portable versions). You can freely use, distribute or modify this patch, create a new patch based on this patch, or incorporate this patch into your codes, all without fee. This patch is provided ``AS IS''. The author is not responsible for any damage caused by this patch.
See Previous codes and Contributed codes for other versions.
This patch adds heartbeat (keepalive) function to ssh(1). If the output channel has been silent for more than a specified time, a null message (SSH_MSG_IGNORE) is sent to the server as heartbeat. Heartbeat is useful for keeping connections over IP masquerade / NAT boxes, firewalls, etc. The interval between heartbeats can be specified by
Heartbeat Nin the configuration file, where N denotes the interval in seconds. N=0 disables sending heartbeats. Although the interval between heartbeats is not very precise, it will be okay for many applications. If you experience undesirable disconnections behind an IP masquerade box or a NAT box,
Heartbeat 180or something may work.
Note: Heartbeat does not work if ServerAliveInterval is enabled at the same time.
There are some other SSH clients capable of emitting heartbeats (aka keepalives). Take a look at the bottom of this page.
There have been at least three patches for OpenSSH and I thank all of the authors for giving me good hints about implementation.
This patch also adds a watchdog timeout function to sshd(8). The combination of the heartbeat and the watchdog timeout is very useful for detecting link down over unreliable connections such as wireless network.
If the input channel has been silent for more than the specified
time, sshd(8) tries to kill the child process(es) as soon as
possible in order to protect server resources.
Since the heartbeats are sent over the encrypted channel
between the client and the server,
it's not easy to hijack the connection to keep
the user's processes running.
Unlike IdleTimeout supported by ssh.com SSH1,
this patch checks only incoming packets rather than
all packets. This makes it possible to terminate
user's login process even if the process continues
sending some data to the client.
The interval of timeout can be specified by
WatchdogTimeout Nin the configuration file, where N denotes the interval in seconds. N=0 disables the watchdog timeout function.
If you don't want to use the watchdog timeout for SSH2 protocol, the following option will be useful.
WatchdogTimeout1 NThis option turns on/off the watchdog timeout for SSH1 protocol only. This would be useful when you use ``ClientAliveInterval'' option at the same time.
Here's an example of the configuration pair for wireless gateways.
Heartbeat 5 # (in ssh_config) WatchdogTimeout1 20 # (in sshd_config) ClientAliveInterval 5 ClientAliveCountMax 4
Both ssh.com SSH and OpenSSH have KeepAlive (or TCPKeepAlive) option. However, this option doesn't help because it utilizes SO_KEEPALIVE of socket and the timeout is extremely long (at least 2hrs). Therefore, we need a watchdog...
(Be sure to use GNU tar.)
% tar zxpf openssh-3.9p1-watchdog.patch.tgz % tar zxpf openssh-3.9p1.tar.gz % cd openssh-3.9p1 % patch < ../openssh-3.9p1-watchdog.patch (Follow the instructions of OpenSSH.)
Here are the codes for previous versions of OpenSSH. These are here only for future references. You are strongly encouraged to use the newer OpenSSH, because the older versions may have security issues.
Here is a patch for OpenSSH 2.9p1 by Tomi Lapinlampi in Finland.
The patch has been fixed by H.Goto.
(This patch can be applied to OpenSSH 2.9p2 as well.)
Following SSH clients have heartbeat (aka keepalive) function. You can use them to connect to the OpenSSH server with watchdog timeout enabled.