Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense-ce 2.7.4 SSH server: how to config ClientAliveCountMax and ClientAliveInterval

    Scheduled Pinned Locked Moved General pfSense Questions
    sshd
    20 Posts 5 Posters 2.3k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O Offline
      oldunixguy @stephenw10
      last edited by

      @stephenw10
      thanks for the reply and proposal. I did place these settings in the /etc/sshd_extras and they do appear in /etc/ssh/sshd_config after boot.
      However, I noticed the runtime config file now has 2 ClientAliveInterval. An "original" with value 30 and now mine at the end with value 60.
      Does this sshd use the "last one set"?

      I haven't run any tests yet to confirm if it works as intended. I will report back once tested.

      thanks
      oldunixguy

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan @oldunixguy
        last edited by

        @oldunixguy

        Normally, yes.
        If a second identical settings like "ClientAliveCountMax" (with the same or another value) couldn't be taken in account, there would be an error and ssh refused to start.
        Its very common to see a global config file for a process, and at the end this global config file it "sources" = includes other 'user' config files so every user can override certain behaviors, without having them to edit the global config file.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • O Offline
          oldunixguy @stephenw10
          last edited by

          @stephenw10
          Well, I have done testing and found interesting and unexpected results!
          If I use these:
          TCPKeepAlive no
          ClientAliveInterval 60
          ClientAliveCountMax 5

          I get a 4-packet interaction with no data every 60 seconds.
          No. Time Source Destination Protocol Length Info
          1 19:13:17.934396101 192.168.0.1 192.168.0.100 TCP 146 EtherNet-IP-1(2222) → 50324 [PSH, ACK] Seq=1 Ack=1 Win=514 Len=80 TSval=1106488073 TSecr=23442467
          2 19:13:17.934467400 192.168.0.100 192.168.0.1 TCP 66 50324 → EtherNet-IP-1(2222) [ACK] Seq=1 Ack=81 Win=433 Len=0 TSval=23457485 TSecr=1106488073
          3 19:13:17.934854830 192.168.0.100 192.168.0.1 TCP 114 50324 → EtherNet-IP-1(2222) [PSH, ACK] Seq=1 Ack=81 Win=433 Len=48 TSval=23457485 TSecr=1106488073
          4 19:13:17.934987922 192.168.0.1 192.168.0.100 TCP 66 EtherNet-IP-1(2222) → 50324 [ACK] Seq=81 Ack=49 Win=514 Len=0 TSval=1106488073 TSecr=23457485
          5 19:14:17.990412665 192.168.0.1 192.168.0.100 TCP 146 EtherNet-IP-1(2222) → 50324 [PSH, ACK] Seq=81 Ack=49 Win=514 Len=80 TSval=1106548129 TSecr=23457485
          6 19:14:17.990730251 192.168.0.100 192.168.0.1 TCP 114 50324 → EtherNet-IP-1(2222) [PSH, ACK] Seq=49 Ack=161 Win=433 Len=48 TSval=23472499 TSecr=1106548129
          7 19:14:17.990885455 192.168.0.1 192.168.0.100 TCP 66 EtherNet-IP-1(2222) → 50324 [ACK] Seq=161 Ack=97 Win=514 Len=0 TSval=1106548129 TSecr=23472499

          But if I use these:
          TCPKeepAlive no
          ClientAliveInterval 577
          ClientAliveCountMax 5

          I get a 3-packet interaction with no data EVERY 60 SECONDS TOO!
          No. Time Source Destination Protocol Length Info
          1 18:44:06.611970133 192.168.0.1 192.168.0.100 TCP 146 EtherNet-IP-1(2222) → 33162 [PSH, ACK] Seq=1 Ack=1 Win=514 Len=80 TSval=1333636851 TSecr=23004634
          2 18:44:06.612549986 192.168.0.100 192.168.0.1 TCP 114 33162 → EtherNet-IP-1(2222) [PSH, ACK] Seq=1 Ack=81 Win=368 Len=48 TSval=23019655 TSecr=1333636851
          3 18:44:06.612703368 192.168.0.1 192.168.0.100 TCP 66 EtherNet-IP-1(2222) → 33162 [ACK] Seq=81 Ack=49 Win=514 Len=0 TSval=1333636851 TSecr=23019655
          4 18:45:06.718264889 192.168.0.1 192.168.0.100 TCP 146 EtherNet-IP-1(2222) → 33162 [PSH, ACK] Seq=81 Ack=49 Win=514 Len=80 TSval=1333696958 TSecr=23019655
          5 18:45:06.718555272 192.168.0.100 192.168.0.1 TCP 114 33162 → EtherNet-IP-1(2222) [PSH, ACK] Seq=49 Ack=161 Win=368 Len=48 TSval=23034681 TSecr=1333696958
          6 18:45:06.718715827 192.168.0.1 192.168.0.100 TCP 66 EtherNet-IP-1(2222) → 33162 [ACK] Seq=161 Ack=97 Win=514 Len=0 TSval=1333696958 TSecr=23034681

          With yet another combo:
          TCPKeepAlive yes
          ClientAliveInterval 577
          ClientAliveCountMax 5

          I get another surprise. I get a 4-packet interaction with no data STILL every 60 seconds.
          No. Time Source Destination Protocol Length Info
          1 19:24:35.388744615 192.168.0.1 192.168.0.100 TCP 146 EtherNet-IP-1(2222) → 55827 [PSH, ACK] Seq=1 Ack=1 Win=514 Len=80 TSval=3386117535 TSecr=23611825
          2 19:24:35.388796613 192.168.0.100 192.168.0.1 TCP 66 55827 → EtherNet-IP-1(2222) [ACK] Seq=1 Ack=81 Win=329 Len=0 TSval=23626849 TSecr=3386117535
          3 19:24:35.389019805 192.168.0.100 192.168.0.1 TCP 114 55827 → EtherNet-IP-1(2222) [PSH, ACK] Seq=1 Ack=81 Win=329 Len=48 TSval=23626849 TSecr=3386117535
          4 19:24:35.389069586 192.168.0.1 192.168.0.100 TCP 66 EtherNet-IP-1(2222) → 55827 [ACK] Seq=81 Ack=49 Win=514 Len=0 TSval=3386117535 TSecr=23626849
          5 19:25:35.440817650 192.168.0.1 192.168.0.100 TCP 146 EtherNet-IP-1(2222) → 55827 [PSH, ACK] Seq=81 Ack=49 Win=514 Len=80 TSval=3386177587 TSecr=23626849
          6 19:25:35.441252260 192.168.0.100 192.168.0.1 TCP 114 55827 → EtherNet-IP-1(2222) [PSH, ACK] Seq=49 Ack=161 Win=329 Len=48 TSval=23641862 TSecr=3386177587
          7 19:25:35.441428552 192.168.0.1 192.168.0.100 TCP 66 EtherNet-IP-1(2222) → 55827 [ACK] Seq=161 Ack=97 Win=514 Len=0 TSval=3386177588 TSecr=23641862

          I conclude from this that changing TCPKeepAlive does not affect the time interval and does not change whether I get 4 packets or 3 packets.

          Setting a large ClientAliveInterval such that it should not emit in 60 seconds does NOT work regardless of the TCPKeepAlive setting. It still emits at 60 seconds.

          And what is this variation with 3 or 4 packets?

          It looks like these are not working at all.
          regards
          oldunixguy

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            Are you sure it's not the other side sending keep alives? I assume 2222 is the server port?

            O 1 Reply Last reply Reply Quote 0
            • O Offline
              oldunixguy @stephenw10
              last edited by

              @stephenw10
              This design has been used for years with our clients and and openssh servers.
              The client is NOT configured for generating TCPKeepAlives nor ServerAliveInterval or CountMax. Instead the server is initiating the keep alives. In this test case the server is 192.168.0.1. In all the test cases you can see in the traces that the server initiates the keep alive probe. the client end is 192.168.0.100. The traces reflect the proper sequences but NOT the proper time intervals. The 3-packet versus 4-packet matter is yet to be studied by me and as an operational matter not that interesting. The time intervals are the important matter.
              thanks
              oldunixguy

              1 Reply Last reply Reply Quote 1
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by stephenw10

                Hmm, I would probably try removing the duplicate ClientAliveInterval value then. Just comment out the line:
                https://github.com/pfsense/pfsense/blob/RELENG_2_7_2/src/etc/sshd#L82

                Or just set it to 60 there directly as a test.

                1 Reply Last reply Reply Quote 0
                • O Offline
                  oldunixguy
                  last edited by

                  Well, I'm back and the problem still exists. I just tested pfsense ce 2.8 and it does NOT work.

                  I enter the folloeing in /etc/sshd_extra
                  TCPKeepAlive no
                  ClientAliveInterval 60
                  ClientAliveCountMax 5

                  reboot

                  then examine the /etc/ssh/sshd_config

                  In it there is NO TCPKeepAlive at all, even commented.
                  There IS a ClientAliveInterval 30 BUT this is not correct value.
                  There is NO ClientAliveCountMax at all, even commented.

                  With other sshd implementations if there is not an entry for a value, say TCPKeepAlive, then an internal DEFAULT is used.

                  From previous report it seems the default TCPKeepAlive is "active".

                  So, the procedure to "alter" or "add" sshd config values here is BROKEN.

                  Could someone produce a bug report so this can get fixed?
                  thanks
                  oldunixguy

                  GertjanG patient0P 2 Replies Last reply Reply Quote 0
                  • GertjanG Offline
                    Gertjan @oldunixguy
                    last edited by Gertjan

                    @oldunixguy

                    I created the file : /etc/sshd_extra and added :
                    #test line 1
                    #test line 2
                    TCPKeepAlive no
                    ClientAliveInterval 60
                    ClientAliveCountMax 5

                    Then I unchecked :

                    e7595a7b-eae1-4011-abb8-ceffd44d8dbc-image.png

                    and saved, (the SSH connection stopped, that's normal) then checked it again, and Saved.

                    I entered SSH again, and :

                    [25.07-RC][root@pfSense.bhf.tld]/root: cat /etc/ssh/sshd_config
                    # This file is automatically generated at startup
                    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
                    Port 22
                    Protocol 2
                    HostKey /etc/ssh/ssh_host_rsa_key
                    HostKey /etc/ssh/ssh_host_ed25519_key
                    ....... (snipped) .....
                    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
                    # override default of no subsystems
                    Subsystem       sftp    /usr/libexec/sftp-server
                    #test line 1
                    #test line 2
                    TCPKeepAlive no
                    ClientAliveInterval 60
                    ClientAliveCountMax 5
                    

                    so the 'extra' lines were added.

                    Btw : I do presume that 25.07 (pfSense Plus) and 2.8.0, pfSense CE, behave the same way ...

                    The script to include the "sshd_extra info" is still there in 'master' : https://github.com/pfsense/pfsense/blob/master/src/etc/sshd

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • patient0P Offline
                      patient0 @oldunixguy
                      last edited by

                      @oldunixguy disclaimer: I have no used these settings before but I was interested and did some reading and testing.

                      Why are the ClientAlive* settings not applied: FreeBSD Manual Pages: sshd_config states:

                      "Unless noted otherwise, for each keyword, the first obtained value will be used."

                      Since ClientAliveInterval is already set by pfSense, the later added custom setting has no effect.

                      One way to make it work for me is to use the Match directive to overwrite these settings. The above mentioned man pages list which directive can be overwritten with Match, the ClientAlive* are on the list.

                      My /etc/sshd_extra looked like:

                      TCPKeepAlive no
                      Match Address *
                              ClientAliveInterval 60
                              ClientAliveCountMax 5
                      

                      Since TCPKeepAlive is not set by pfSense, overwriting will work (but is not allowed in Match). You can restrict Address to subnets if that is necessary. E.g.

                      Match Address 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

                      ... to only apply it non-WAN addresses.

                      I'm not sure about the TCP flow to expect. Testing with a Debian client and connecting to pfSense CE 2.8.1-BETA and a Debian 12 server, both with the same Match statements, resulted in the same flow: first a 4 packages exchange and 3 packages after that.

                      GertjanG 1 Reply Last reply Reply Quote 2
                      • GertjanG Offline
                        Gertjan @patient0
                        last edited by

                        @patient0 said in pfsense-ce 2.7.4 SSH server: how to config ClientAliveCountMax and ClientAliveInterval:

                        "Unless noted otherwise, for each keyword, the first obtained value will be used."

                        Nice catch :
                        Thanks - that made me remember : just adding parameters hoping that "the last one is taken in account", which is something I did presume - doesn't work.
                        So, this is a "sshd" issue.

                        Editing "https://github.com/pfsense/pfsense/blob/master/src/etc/sshd" (make a patch for it so it auto applies) after an pfSense upgrade/update) will do the job.
                        The match trick is also a good idea and worth testing.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by stephenw10

                          Mmm, there's no bug here that I can see, it's behaving exactly as expected. We could open a feature request perhaps.

                          Using a patch as a workaround seems reasonable if you really need that though.

                          GertjanG 1 Reply Last reply Reply Quote 0
                          • GertjanG Offline
                            Gertjan @stephenw10
                            last edited by

                            @stephenw10 said in pfsense-ce 2.7.4 SSH server: how to config ClientAliveCountMax and ClientAliveInterval:

                            We could open a feature request perhaps.

                            Like : instead of appending, prepending the sshd_extra file ?

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S Offline
                              stephenw10 Netgate Administrator
                              last edited by

                              I was thinking more like exposing some of those values in the gui in an advanced config section for users who might need to set them.

                              1 Reply Last reply Reply Quote 0
                              • O Offline
                                oldunixguy
                                last edited by

                                This must be considered a bug because ALL of the settings which are cast in concrete in the current /etc/ssh/sshd_config CANNOT BE CHANGED!

                                2 approaches to fix:

                                1. let the world edit /etc/ssh/sshd_config like 99% of the implementations for a very long time.

                                or

                                1. place ALL of the contents of /etc/ssh_extra BEFORE the template used to create /etc/ssh/sshd_config. Then any and all in /etc/sshd_extra overrides all of the template entries.

                                I prefer #1 to make it work like the rest of the world. Frankly, I'm amazed this has been busted for so long.

                                thanks
                                oldunixguy

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S Offline
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  It's not a bug because that's the expected behaviour. You could consider it a missing feature if you need to make changes there. Open a feature request: https://redmine.pfsense.org/

                                  This is the first time I've seen anyone ask about it in 10 years though so it's clearly not a huge problem.

                                  You could just patch the file to create the config with the values you need then carry that as a custom patch in the patches package.

                                  O 1 Reply Last reply Reply Quote 1
                                  • O Offline
                                    oldunixguy @stephenw10
                                    last edited by

                                    @stephenw10
                                    In essence what you are saying is that ALL of the settings in /etc/ssh/sshd_config, AND THERE ARE A LOT OF THEM, cannot be changed!

                                    And you don't think that is a problem?

                                    I have hundreds of sshd_config files with significant changes on numerous linux, windows, raspberry pis and more. SSH would not work for my customers without all these changes!

                                    So pfsense just won't work then. Incredible!

                                    regards
                                    oldunixguy

                                    johnpozJ 1 Reply Last reply Reply Quote 0
                                    • johnpozJ Offline
                                      johnpoz LAYER 8 Global Moderator @oldunixguy
                                      last edited by

                                      @oldunixguy must be really important since you waited 2 months to answer. But that is not what he said at all.. What he said is change the file that creates those values via a patch.

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                      1 Reply Last reply Reply Quote 0
                                      • stephenw10S Offline
                                        stephenw10 Netgate Administrator
                                        last edited by

                                        Indeed. That file is auto-generated using default values that work for almost everyone. It cannot be edited manually.

                                        It isn't a problem in as much as this is the first time I've ever seen anyone ask about it.

                                        It's clearly a problem for you because you're using a custom client side config.

                                        A solution to that would be to carry a custom patch in pfSense that changes the default values used to generate the file so it works for you.

                                        And/or you can open a feature request to expose those settings in the gui,

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.