Trying to change the timeout settings for SSH so that users aren´t kicked out after 1h.
Did change below settings in file:
TCPIP$SSH_DEVICE:ÄTCPIP$SSH.SSH2ÅSSHD2_CONFIG.
IdleTimeOut 8h
KeepAlive yes
Any suggestions on what I´m missing in the configuration?
Full config-file:
Code: Select all
ty TCPIP$SSH_DEVICE:ÄTCPIP$SSH.SSH2ÅSSHD2_CONFIG.
# SSH CONFIGURATION FILE FORMAT VERSION 1.1
# REGEX-SYNTAX egrep
# end of metaconfig
# (do not change above lines!)
#
# File name: SSHD2_CONFIG.
# Product: HP TCP/IP Services for OpenVMS
# Version: V5.7-ECO5
#
# © Copyright 1976, 2009 Hewlett-Packard Development Company, L.P.
#
#
# ssh 3.2 server configuration file
#
## General
HostKeyFile hostkey
PublicHostKeyFile hostkey.pub
RandomSeedFile random_seed
# BannerMessageFile /etc/ssh2/ssh_banner_message
# BannerMessageFile /etc/issue.net
PrintSysAnnounce yes
PrintSysWelcome yes
PrintOnlySysAnnounceAfterLogin no
# SftpSyslogFacility LOCAL7
SyslogFacility AUTH
# SyslogFacility LOCAL7
# QuietMode no
VerboseMode no
## Network
Port 22
ListenAddress any
RequireReverseMapping no
# ResolveClientHostName yes
MaxBroadcastsPerSecond 0
# MaxBroadcastsPerSecond 1
# NoDelay no
KeepAlive yes
# MaxConnections 50
# MaxConnections 0
# 0 == number of connections not limited
## Crypto
Ciphers AnyCipher
# Ciphers AnyStdCipher
# Ciphers 3des
# Following includes "none" 'cipher':
# Ciphers AnyStd
MACs AnyMAC
# MACs AnyStdMAC
# Following includes "none" 'mac':
# MACs AnyStd
# RekeyIntervalSeconds 3600
## User
CheckMail yes
PrintMotd yes
# StrictModes yes
# Specifies 1 hour
# (you can also use 'w' for week, 'd' for day, 'm' for minute, 's' for seconds)
IdleTimeOut 8h
# without specifier, the default number is in seconds
# IdleTimeOut 3600
UserConfigDirectory "%Dssh2"
# UserConfigDirectory "/etc/ssh2/auth/%U"
AuthorizationFile authorization
# This variable is set here, because by default it's empty, and so no
# variables can be set. Because of that, we set a few common ones here.
SettableEnvironmentVars LANG,LC_(ALLöCOLLATEöCTYPEöMONETARYöNUME
RICöTIME),PATH,TERM,TZ
## Tunneling
AllowX11Forwarding yes
AllowTcpForwarding yes
# AllowTcpForwardingForUsers sjl, cowboynealÉslashdotÖ.org
# DenyTcpForwardingForUsers 2ÄÄ:digit:ÅÅ*4,peelo
# AllowTcpForwardingForGroups privileged_tcp_forwarders
# DenyTcpForwardingForGroups coming_from_outside
# Local port forwardings to host 10.1.0.25 ports 143 and 25 are
# allowed for all users in group users.
# Note that forwardings using the name of this host will be allowed (if
# it can be resolved from the DNS).
# ForwardACL allow local .*%users Öi10Ö.1Ö.0Ö.25%(143ö25)
# Local port forwardings requested exactly to host proxy.company.com
# port 8080 are allowed for users that have 's' as first character
# and belong to the group with group id 10:
# ForwardACL allow local s.*%10 proxyÖ.companyÖ.com%8080
# Remote port forwarding is denied for all users to all hosts:
# ForwardACL deny remote .* .*
## Authentication
## V5.5-03
## publickey and password are allowed by default
## (least interactive method should be usually attempted first)
# Valid options for all fields that take authentication method names
# or lists of them are:
#
# hostbased
# publickey
# password
# kerberos-2Éssh.com
# kerberos-tgt-2Éssh.com
# gssapi-with-mic
# AllowedAuthentications publickey, password
# AllowedAuthentications hostbased, publickey, password
# RequiredAuthentications publickey, password
# LoginGraceTime 600
# AuthInteractiveFailureTimeout 2
# HostbasedAuthForceClientHostnameDNSMatch no
# UserKnownHosts yes
#
# AuthPublicKey.MaxSize 0
# AuthPublicKey.MinSize 0
AllowAgentForwarding yes
# AuthKbdInt.NumOptional 0
# AuthKbdInt.Optional pam, password
# AuthKbdInt.Required password
# AuthKbdInt.Retries 3
# PermitEmptyPasswords no
PasswordGuesses 3
## Host restrictions
AllowHosts localhost, *
## Next one matches with, for example, taulu.foobar.com, tuoli.com, but
## not tuoli1.com. Note that you have to input string "Ö." when you want it
## to match only a literal dot. You also have to escape "," when you
## want to use it in the pattern, because otherwise it is considered a list
## separator.
## AllowHosts t..l.Ö..*
## The following matches any numerical IP-address (yes, it is cumbersome)
## AllowHosts (ÄÄ:digit:ÅÅä1Ö,3åÖ.)ä3åÄÄ:digit:ÅÅä1Ö,3
å
## Same thing is achieved with using the special prefix "Öi" in a
## pattern. This means that the pattern is only used to match
# IP-addresses. Using the above example:
#
# AllowHosts Öi.*
#
# You can probably see the difference between the two.
#
# Also, you can use subnet masks, by using prefix "Öm"
#
# AllowHosts Öm127.0/8
#
# AllowHosts Öm127.0.0.0/24
#
# would match localhost ("127.0.0.1").
#
# DenyHosts evilÖ.org, aolÖ.com
# AllowSHosts trustedÖ.hostÖ.org
# DenySHosts notÖ.quiteÖ.trustedÖ.org
# IgnoreRhosts no
# IgnoreRootRHosts no
#
# (the above, if not set, is defaulted to the value of IgnoreRHosts)
## User restrictions
# AllowUsers sj.*,sÄÄ:digit:ÅÅ*,s(jlöamza)
# DenyUsers skuuppa,warezdude,31373
# DenyUsers donÉuntrustedÖ.org
# AllowGroups staff,users
# DenyGroups guest,anonymous
PermitRootLogin yes
# PermitRootLogin nopwd
## Chrooted environment
# ChRootGroups sftp,guest
# ChRootUsers anonymous,ftp,guest
## SSH1 compatibility
# Ssh1Compatibility no
# Sshd1Path <set by configure by default>
# This is given as argument to sshd1 with "-f" if sshd2 is invoked
# with "-f", otherwise the default configuration for sshd1 is used.
# Sshd1ConfigFile /etc/sshd_config_alternate
## Subsystem definitions
# Subsystems don't have defaults, so this is needed here (uncommented).
subsystem-sftp /sys$system/tcpip$ssh_sftp-server2
# Also internal sftp-server subsystem can be used.
# subsystem-sftp internal://tcpip$ssh_sftp-server2
## Subconfiguration
# There are no default subconfiguration files. When specified the last
# obtained keyword value will prevail. Note that the host specific files
# are read before the user specific files.
# Following matches (from) any host
#
# HostSpecificConfig .* /etc/ssh2/subconfig/host_ext.example
#
# Following matches to subnet mask:
#
# HostSpecificConfig Öm192.168.0.0/16 /etc/ssh2/subconfig/host_int.example
#
# Following matches to users from ssh.com that have two character long
# username or is sjl and belong to group wheel or wheelÄ0-9Å
# UserSpecificConfig (..ösjl)%wheelÄÄ:digit:ÅÅ?ÉsshÖ.com /etc/ssh2/subconfig/u
ser.example
# Following matches to the user anonymous from any host
# UserSpecificConfig anonymousÉ.* /etc/ssh2/subconfig/anonymous.example
## OpenVMS backward compatibility V5.5-04
# Uncomment this line if needed to ensure compatibility of server
# with OpenVMS ssh clients (V5.4 ECO 4 and earlier)
# ProtocolVersionString "2.4.1 SSH Secure Shell OpenVMS V1.0"
## OpenVMS auditing and access control
# V5.5-04: Correct default for AllowVmsLoginWithExpiredPw
# AllowVmsLoginWithExpiredPw yes
AllowNonvmsLoginWithExpiredPw yes
# UserLoginLimit -1
#
# V5.5-02 Change pubkey to publickey
# AccountingAuthentications publickey,password,hostbased
# IntrusionAuthentications publickey,password,hostbased
# IntrusionIdentMethod publickey,password,hostbased
# IntrusionIdentSsh publickey,password,hostbased
# LogfailAuthentications publickey,password,hostbased
#
# V5.5-05
# Valid options are:
# none: no special action (default)
# This option is also in effect if there is no value specified, or if
# the variable is commented out.
# break: break lock (xauth -b)
# ignore: ignore lock (xauth -i)
# file: use alternate xauth filename (xauth -f äfilenameå)
#
# DecwXauthLockAction none
#
# V5.5-06
# If "yes" then the local user name is used in the intrusion record in place of
# SSH_xxxxxxxx where 'xxxxxxxx' is HEX IP address of remote host. This makes for
# more unique intrusion records and prevents the case of one intruder on a
# remote host locking out all users from that host. This field is especially
# useful in environments where multiple client hosts appear to be from the same
# remote IP address.
#
# If "no" then SSH_xxxxxxxx is used in the intrusion record.
#
# Default is "yes".
#
# This field is experimental. It may not work for public key and host based
# authentication.
#
# This field is not currently used for SSH logins from the TCP/IP Services for
# OpenVMS SSH client.
#
# IntrusionIdentLocalUser yes
# TryKerberosPassword is a boolean that tells the SSH server, for password
# authentication, to try to validate the password with Kerberos before trying it
# against the SYSAUF.
#
# Default is "no".
#
# TryKerberosPassword no
# GssapiSendError is a Boolean that tells the SSH server, when a GSSAPI call
# incurs an error, to send to the client a textual message with information as
# to the cause of an error. This message is typically displayed to the SSH
# client user.
#
# Default is "no".
#
# GssapiSendError no
# GssapiSendErrtok is a Boolean that tells the SSH server to send a
# SSH_MSG_USERAUTH_GSSAPI_ERRTOK message to the client when a
# GSSAPI call incurs an error.
#
# Default is "no".
#
# GssapiSendErrtok no
# PTR 70-5-2911: Control access to sftp-server2
# This one restricts all access; no granularity at user level
# DisallowSftpServer no
# This one allows specification by user; use of regular expressions is
# as with DenyUsers. Restriction by groups not yet implemented.
# SftpDenyUsers username1.*,username2
# Note that control of access through the identifier
# TCPIP$SSH_FILECOPY_DISALLOWED granted to the user is not controlled by
# either of these configuration variables.
>
>
But I still get a disconnect after 1h with the following error.
Code: Select all
ty TCPIP$SSH_DEVICE:ÄTCPIP$SSHÅTCPIP$SSH_RUN.LOG;579
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
Fri 22 10:12:39 INFORMATIONAL: Starting image in auxiliary server mode.
Fri 22 10:12:39 INFORMATIONAL: connection from "192.168.91.220"
Fri 22 10:12:40 NOTICE: User XXXXXXXXX local password accepted.
Fri 22 10:12:40 NOTICE: Password authentication for user XXXXXXXX accepted.
Fri 22 10:12:40 NOTICE: User XXXXXXXXX, coming from XXXXXXXXXXXXX, authen
ticated.
Fri 22 11:12:40 INFORMATIONAL: Local disconnected: Malformed first key exhange p
acket.
Fri 22 11:12:40 WARNING: Protocol error in local: 'Malformed first key exhange p
acket.'
TCPIP$SSH job terminated at 22-OCT-2021 11:12:40.29
Accounting information:
Buffered I/O count: 1079 Peak working set size: 18016
Direct I/O count: 166 Peak virtual size: 195856
Page faults: 922 Mounted volumes: 0
Charged CPU time: 0 00:00:00.10 Elapsed time: 0 01:00:00.88
Code: Select all
TCPIP SHOW SERVICE SSH/FULL
Service: SSH
State: Enabled
Port: 22 Protocol: TCP Address: 0.0.0.0
Inactivity: 5 User_name: TCPIP$SSH Process: TCPIP$SSH
Limit: 10000 Active: 1 Peak: 1
File: TCPIP$SYSTEM:TCPIP$SSH_RUN.COM
Flags: Listen IPv6
Socket Opts: Rcheck Scheck
Receive: 0 Send: 0
Log Opts: Acpt Actv Dactv Conn Error Exit Logi Logo Mdfy Rjct TimO Addr
File: TCPIP$SSH_DEVICE:ÄTCPIP$SSHÅTCPIP$SSH_RUN.LOG
Security
Reject msg: TCPIP SSH Connection refused
Accept host: 0.0.0.0
Accept netw: 0.0.0.0
//Niklas