Discussion:
inactivity timeout or disconnect
Ming-Ching Tiew
2008-09-03 06:25:59 UTC
Permalink
I am using dropbear as sshd server and dbclient as ssh client
and I do reverse port forward between the client and the server
( ie it does not start shell ). That has been working.

And I want to have an activitity disconnect after certain
period of inactivity from the client. How can I do it ?

Regards.
Ming-Ching Tiew
2008-09-03 08:06:15 UTC
Permalink
Post by Ming-Ching Tiew
I am using dropbear as sshd server and dbclient as ssh client
and I do reverse port forward between the client and the server
( ie it does not start shell ). That has been working.
And I want to have an activitity disconnect after certain
period of inactivity from the client. How can I do it ?
I did some search, and I have come to conclusion that
dropbear could not do it, and openssh daemon could
not do it too ! I am surprised !

Anyone as a workaround ?
Cristian Ionescu-Idbohrn
2008-09-03 08:33:15 UTC
Permalink
Post by Ming-Ching Tiew
Post by Ming-Ching Tiew
I am using dropbear as sshd server and dbclient as ssh client
and I do reverse port forward between the client and the server
( ie it does not start shell ). That has been working.
And I want to have an activitity disconnect after certain
period of inactivity from the client. How can I do it ?
I did some search, and I have come to conclusion that
dropbear could not do it, and openssh daemon could
not do it too ! I am surprised !
Anyone as a workaround ?
Take a look at the ssh_config man page and look for caseless 'alive'
string.

ServerAliveCountMax
ServerAliveInterval
TCPKeepAlive

Cheers,
--
Cristian
Ming-Ching Tiew
2008-09-03 08:47:45 UTC
Permalink
Post by Cristian Ionescu-Idbohrn
Post by Ming-Ching Tiew
Post by Ming-Ching Tiew
I am using dropbear as sshd server and dbclient as ssh client
and I do reverse port forward between the client and the server
( ie it does not start shell ). That has been working.
And I want to have an activitity disconnect after certain
period of inactivity from the client. How can I do it ?
I did some search, and I have come to conclusion that
dropbear could not do it, and openssh daemon could
not do it too ! I am surprised !
Anyone as a workaround ?
Take a look at the ssh_config man page and look for caseless 'alive'
string.
ServerAliveCountMax
ServerAliveInterval
TCPKeepAlive
They aren't the same thing as "inactivity timeout" or "idle timeout".
Those parameters serves these purposes :-

1. Keep connection alive for the purpose of firewalling.
2. Disconnect if there is a stale connection due to network
failure.

And so on. That's more or less the same as dropbear's -K
( keepalive ) option.

But on a perfect network, the keepalive will continue to
allow session to be maintained even though there is
no user-level activity and so it will not disconnect
the session.

Base on the document I read, ssh1 does have a "IdleTimeOut"
parameter but unfortunately, when openssh is written,
there is no more such implementation.

Regards.
jose otero
2008-09-04 01:06:47 UTC
Permalink
I ran into the same problem (with respect to keyboard activity). You can
create a timer that fires when your inactivity criteria is met. You can
restart your timer when a carriage return is entered or if a single
character is typed. When the timer function executes make sure you clean-up
the appropriate resources (file descriptors, memory, etc). Hope this helps.
Post by Ming-Ching Tiew
Post by Ming-Ching Tiew
I am using dropbear as sshd server and dbclient as ssh client
and I do reverse port forward between the client and the server
( ie it does not start shell ). That has been working.
And I want to have an activitity disconnect after certain
period of inactivity from the client. How can I do it ?
I did some search, and I have come to conclusion that
dropbear could not do it, and openssh daemon could
not do it too ! I am surprised !
Anyone as a workaround ?
Ming-Ching Tiew
2008-09-04 01:39:12 UTC
Permalink
Post by jose otero
I ran into the same problem (with respect to keyboard activity). You
can create a timer that fires when your inactivity criteria is met.
You can restart your timer when a carriage return is entered or if a
single character is typed. When the timer function executes make sure
you clean-up the appropriate resources (file descriptors, memory,
etc). Hope this helps.
I think most of you failed to read that this is not an interactive remote
signon, this is just a reverse port forward executed in batchmode and
it does not execute any shell on the server.

Anyway I have got some progress by patching the dropbear source code,
it does not seem to be that difficult a change. I am testing if it has any
undesirable side effects.

Thank you for your suggestion.

Regards.
Rob Landley
2008-09-08 09:06:26 UTC
Permalink
Post by Ming-Ching Tiew
Post by jose otero
I ran into the same problem (with respect to keyboard activity). You
can create a timer that fires when your inactivity criteria is met.
You can restart your timer when a carriage return is entered or if a
single character is typed. When the timer function executes make sure
you clean-up the appropriate resources (file descriptors, memory,
etc). Hope this helps.
I think most of you failed to read that this is not an interactive remote
signon, this is just a reverse port forward executed in batchmode and
it does not execute any shell on the server.
Anyway I have got some progress by patching the dropbear source code,
it does not seem to be that difficult a change. I am testing if it has any
undesirable side effects.
Actually what I'd do is make a "timeout" command that works like cat except it
drops the connection after a certain amount of activity (close stdin, close
stdout, exit program), then insert it in the pipeline. No real need to
modify ssh for this.

Rob
Ming-Ching Tiew
2008-09-08 09:26:10 UTC
Permalink
Post by Rob Landley
Actually what I'd do is make a "timeout" command that works like cat
except it drops the connection after a certain amount of activity
(close stdin, close stdout, exit program), then insert it in the
pipeline. No real need to modify ssh for this.
I am not too clear about this, perhaps you can enlighten me.

Assuming that my dbclient command is this :-

dbclient -y -N -T -p 2222 \
-R 1234:localhost:5678 \
-l root w.x.y.z >/dev/null 2>&1 &

And the server command is this ( for example ) :-

dropbear -a -p 2222

So where do I insert the "timeout" program ?

Do you mean this ? :-

dbclient -y -p 2222 \
-R 1234:localhost:5678 \
-l root w.x.y.z 'timeout' &

But will the 'timeout' get to intercept the traffic
or activity on forwarding ports ?

Regards
Matt Johnston
2008-09-08 13:53:58 UTC
Permalink
Post by Ming-Ching Tiew
I think most of you failed to read that this is not an interactive remote
signon, this is just a reverse port forward executed in batchmode and
it does not execute any shell on the server.
Anyway I have got some progress by patching the dropbear source code,
it does not seem to be that difficult a change. I am testing if it has any
undesirable side effects.
Yes, I think that the only way to accomplish this is to
modify Dropbear itself (or perhaps make use of some clever
iptables rules?). There is already the keepalive timeout,
triggering something similar for any packet other than
SSH_MSG_IGNORE or SSH_MSG_DEBUG would probably work? If you
think the patch would be worth merging send it and I'll take
a look.

On a somewhat related note, apologies for my lack of
activity on the list lately - I'll try and get back to some
of the mails and patches that have been sent over the past
months.

Cheers,
Matt
Farrell Aultman
2008-09-08 16:01:42 UTC
Permalink
I actually need to do this also. Here is what I am planning: One way
to do it would be to add another command line option for the idle
timeout. Another timeout (based on command line) could be added to
the select(). This "case" would check to see if there has been any
activity, and if not, close down the channel (or this dropbear
process?). If there was activity before the "case" was selected, set
a flag to indicate no activity. When there is activity on a channel,
set the flag to indicate such (perhaps ignoring SSH_MSG_IGNORE or
SSH_MSG_DEBUG). (Note, this implementation would actually check for
2x the inactivity specified). What was done for -K is very similiar
to what needs to be done here.

Farrell
Post by Matt Johnston
Post by Ming-Ching Tiew
I think most of you failed to read that this is not an interactive remote
signon, this is just a reverse port forward executed in batchmode and
it does not execute any shell on the server.
Anyway I have got some progress by patching the dropbear source code,
it does not seem to be that difficult a change. I am testing if it has any
undesirable side effects.
Yes, I think that the only way to accomplish this is to
modify Dropbear itself (or perhaps make use of some clever
iptables rules?). There is already the keepalive timeout,
triggering something similar for any packet other than
SSH_MSG_IGNORE or SSH_MSG_DEBUG would probably work? If you
think the patch would be worth merging send it and I'll take
a look.
On a somewhat related note, apologies for my lack of
activity on the list lately - I'll try and get back to some
of the mails and patches that have been sent over the past
months.
Cheers,
Matt
Jose Otero
2008-09-04 01:26:42 UTC
Permalink
I ran into the same problem. What I did was simply to create a timer that fires based on your inactivity timeout (user keyboard inactivity). The activity can be on a character or carriage return basis. If your criteria is met, restart the timer. When the timer fires, disconnect the session using the appropriate api.

-----Original Message-----
From: "Ming-Ching Tiew" <***@redtone.com>
To: ***@ucc.asn.au
Sent: 9/3/08 4:47 AM
Subject: Re: inactivity timeout or disconnect
Post by Cristian Ionescu-Idbohrn
Post by Ming-Ching Tiew
Post by Ming-Ching Tiew
I am using dropbear as sshd server and dbclient as ssh client
and I do reverse port forward between the client and the server
( ie it does not start shell ). That has been working.
And I want to have an activitity disconnect after certain
period of inactivity from the client. How can I do it ?
I did some search, and I have come to conclusion that
dropbear could not do it, and openssh daemon could
not do it too ! I am surprised !
Anyone as a workaround ?
Take a look at the ssh_config man page and look for caseless 'alive'
string.
ServerAliveCountMax
ServerAliveInterval
TCPKeepAlive
They aren't the same thing as "inactivity timeout" or "idle timeout".
Those parameters serves these purposes :-

1. Keep connection alive for the purpose of firewalling.
2. Disconnect if there is a stale connection due to network
failure.

And so on. That's more or less the same as dropbear's -K
( keepalive ) option.

But on a perfect network, the keepalive will continue to
allow session to be maintained even though there is
no user-level activity and so it will not disconnect
the session.

Base on the document I read, ssh1 does have a "IdleTimeOut"
parameter but unfortunately, when openssh is written,
there is no more such implementation.

Regards.
Loading...