1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
From 52f98425101dc955f2919f6e60974c4fb4032de1 Mon Sep 17 00:00:00 2001
From: Richard Kettlewell <rjk@greenend.org.uk>
Date: Sun, 9 Feb 2014 16:09:52 +0000
Subject: Various keepalive extensions
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
in previous versions of Debian's OpenSSH package but since superseded by
ServerAliveInterval. (We're probably stuck with this bit for
compatibility.)
In batch mode, default ServerAliveInterval to five minutes.
Adjust documentation to match and to give some more advice on use of
keepalives.
Author: Ian Jackson <ian@chiark.greenend.org.uk>
Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2025-10-06
Patch-Name: keepalive-extensions.patch
---
readconf.c | 14 ++++++++++++--
ssh_config.5 | 21 +++++++++++++++++++--
sshd_config.5 | 3 +++
3 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/readconf.c b/readconf.c
index 0e91bb243..95d497938 100644
--- a/readconf.c
+++ b/readconf.c
@@ -178,6 +178,7 @@ typedef enum {
oSecurityKeyProvider, oKnownHostsCommand, oRequiredRSASize,
oEnableEscapeCommandline, oObscureKeystrokeTiming, oChannelTimeout,
oVersionAddendum, oRefuseConnection, oWarnWeakCrypto,
+ oProtocolKeepAlives, oSetupTimeOut,
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;
@@ -344,6 +345,8 @@ static struct {
{ "versionaddendum", oVersionAddendum },
{ "refuseconnection", oRefuseConnection },
{ "warnweakcrypto", oWarnWeakCrypto },
+ { "protocolkeepalives", oProtocolKeepAlives },
+ { "setuptimeout", oSetupTimeOut },
{ NULL, oBadOption }
};
@@ -1236,6 +1239,7 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host,
argv_consume(&ac);
break;
case oConnectTimeout:
+ case oSetupTimeOut: /* Debian-specific compatibility alias */
intptr = &options->connection_timeout;
parse_time:
arg = argv_next(&ac, &av);
@@ -1978,6 +1982,7 @@ parse_pubkey_algos:
goto parse_flag;
case oServerAliveInterval:
+ case oProtocolKeepAlives: /* Debian-specific compatibility alias */
intptr = &options->server_alive_interval;
goto parse_time;
@@ -3013,8 +3018,13 @@ fill_default_options(Options * options)
options->rekey_interval = 0;
if (options->verify_host_key_dns == -1)
options->verify_host_key_dns = 0;
- if (options->server_alive_interval == -1)
- options->server_alive_interval = 0;
+ if (options->server_alive_interval == -1) {
+ /* in batch mode, default is 5mins */
+ if (options->batch_mode == 1)
+ options->server_alive_interval = 300;
+ else
+ options->server_alive_interval = 0;
+ }
if (options->server_alive_count_max == -1)
options->server_alive_count_max = 3;
if (options->control_master == -1)
diff --git a/ssh_config.5 b/ssh_config.5
index a4589885c..718c870f8 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -335,9 +335,13 @@ If set to
.Cm yes ,
user interaction such as password prompts and host key confirmation requests
will be disabled.
+In addition, the
+.Cm ServerAliveInterval
+option will be set to 300 seconds by default (Debian-specific).
This option is useful in scripts and other batch jobs where no user
is present to interact with
-.Xr ssh 1 .
+.Xr ssh 1 ,
+and where it is desirable to detect a broken network swiftly.
The argument must be
.Cm yes
or
@@ -658,6 +662,8 @@ Specifies the timeout (in seconds) used when connecting to the
SSH server, instead of using the default system TCP timeout.
This timeout is applied both to establishing the connection and to performing
the initial SSH protocol handshake and key exchange.
+.Cm SetupTimeOut
+is a Debian-specific compatibility alias for this option.
.It Cm ControlMaster
Enables the sharing of multiple sessions over a single network connection.
When set to
@@ -1990,7 +1996,12 @@ from the server,
will send a message through the encrypted
channel to request a response from the server.
The default
-is 0, indicating that these messages will not be sent to the server.
+is 0, indicating that these messages will not be sent to the server,
+or 300 if the
+.Cm BatchMode
+option is set (Debian-specific).
+.Cm ProtocolKeepAlives
+is a Debian-specific compatibility alias for this option.
.It Cm SessionType
May be used to either request invocation of a subsystem on the remote system,
or to prevent the execution of a remote command at all.
@@ -2113,6 +2124,12 @@ Specifies whether the system should send TCP keepalive messages to the
other side.
If they are sent, death of the connection or crash of one
of the machines will be properly noticed.
+This option only uses TCP keepalives (as opposed to using ssh level
+keepalives), so takes a long time to notice when the connection dies.
+As such, you probably want
+the
+.Cm ServerAliveInterval
+option as well.
However, this means that
connections will die if the route is down temporarily, and some people
find it annoying.
diff --git a/sshd_config.5 b/sshd_config.5
index 301c6be90..ceaeddc9d 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1995,6 +1995,9 @@ This avoids infinitely hanging sessions.
.Pp
To disable TCP keepalive messages, the value should be set to
.Cm no .
+.Pp
+This option was formerly called
+.Cm KeepAlive .
.It Cm TrustedUserCAKeys
Specifies a file containing public keys of certificate authorities that are
trusted to sign user certificates for authentication, or
|
