Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense-ce 2.7.4 SSH server: how to config ClientAliveCountMax and ClientAliveInterval

    Scheduled Pinned Locked Moved General pfSense Questions
    sshd
    20 Posts 5 Posters 2.3k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • patient0P Online
      patient0 @oldunixguy
      last edited by

      @oldunixguy disclaimer: I have no used these settings before but I was interested and did some reading and testing.

      Why are the ClientAlive* settings not applied: FreeBSD Manual Pages: sshd_config states:

      "Unless noted otherwise, for each keyword, the first obtained value will be used."

      Since ClientAliveInterval is already set by pfSense, the later added custom setting has no effect.

      One way to make it work for me is to use the Match directive to overwrite these settings. The above mentioned man pages list which directive can be overwritten with Match, the ClientAlive* are on the list.

      My /etc/sshd_extra looked like:

      TCPKeepAlive no
Match Address *
        ClientAliveInterval 60
        ClientAliveCountMax 5

      Since TCPKeepAlive is not set by pfSense, overwriting will work (but is not allowed in Match). You can restrict Address to subnets if that is necessary. E.g.

      Match Address 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

      ... to only apply it non-WAN addresses.

      I'm not sure about the TCP flow to expect. Testing with a Debian client and connecting to pfSense CE 2.8.1-BETA and a Debian 12 server, both with the same Match statements, resulted in the same flow: first a 4 packages exchange and 3 packages after that.

      GertjanG 1 Reply Last reply Reply Quote 2
      • GertjanG Online
        Gertjan @patient0
        last edited by

        @patient0 said in pfsense-ce 2.7.4 SSH server: how to config ClientAliveCountMax and ClientAliveInterval:

        "Unless noted otherwise, for each keyword, the first obtained value will be used."

        Nice catch :
        Thanks - that made me remember : just adding parameters hoping that "the last one is taken in account", which is something I did presume - doesn't work.
        So, this is a "sshd" issue.

        Editing "https://github.com/pfsense/pfsense/blob/master/src/etc/sshd" (make a patch for it so it auto applies) after an pfSense upgrade/update) will do the job.
        The match trick is also a good idea and worth testing.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by stephenw10

          Mmm, there's no bug here that I can see, it's behaving exactly as expected. We could open a feature request perhaps.

          Using a patch as a workaround seems reasonable if you really need that though.

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG Online
            Gertjan @stephenw10
            last edited by

            @stephenw10 said in pfsense-ce 2.7.4 SSH server: how to config ClientAliveCountMax and ClientAliveInterval:

            We could open a feature request perhaps.

            Like : instead of appending, prepending the sshd_extra file ?

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              I was thinking more like exposing some of those values in the gui in an advanced config section for users who might need to set them.

              1 Reply Last reply Reply Quote 0
              • O Offline
                oldunixguy
                last edited by

                This must be considered a bug because ALL of the settings which are cast in concrete in the current /etc/ssh/sshd_config CANNOT BE CHANGED!

                2 approaches to fix:

                1. let the world edit /etc/ssh/sshd_config like 99% of the implementations for a very long time.

                or

                1. place ALL of the contents of /etc/ssh_extra BEFORE the template used to create /etc/ssh/sshd_config. Then any and all in /etc/sshd_extra overrides all of the template entries.

                I prefer #1 to make it work like the rest of the world. Frankly, I'm amazed this has been busted for so long.

                thanks
                oldunixguy

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  It's not a bug because that's the expected behaviour. You could consider it a missing feature if you need to make changes there. Open a feature request: https://redmine.pfsense.org/

                  This is the first time I've seen anyone ask about it in 10 years though so it's clearly not a huge problem.

                  You could just patch the file to create the config with the values you need then carry that as a custom patch in the patches package.

                  O 1 Reply Last reply Reply Quote 1
                  • O Offline
                    oldunixguy @stephenw10
                    last edited by

                    @stephenw10
                    In essence what you are saying is that ALL of the settings in /etc/ssh/sshd_config, AND THERE ARE A LOT OF THEM, cannot be changed!

                    And you don't think that is a problem?

                    I have hundreds of sshd_config files with significant changes on numerous linux, windows, raspberry pis and more. SSH would not work for my customers without all these changes!

                    So pfsense just won't work then. Incredible!

                    regards
                    oldunixguy

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator @oldunixguy
                      last edited by

                      @oldunixguy must be really important since you waited 2 months to answer. But that is not what he said at all.. What he said is change the file that creates those values via a patch.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        Indeed. That file is auto-generated using default values that work for almost everyone. It cannot be edited manually.

                        It isn't a problem in as much as this is the first time I've ever seen anyone ask about it.

                        It's clearly a problem for you because you're using a custom client side config.

                        A solution to that would be to carry a custom patch in pfSense that changes the default values used to generate the file so it works for you.

                        And/or you can open a feature request to expose those settings in the gui,

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.