SSH Timeout settings

All types of networks, network stacks, and protocols supported by OpenVMS.
Post Reply

Topic author
niklas
Contributor
Posts: 11
Joined: Fri Oct 22, 2021 7:31 am
Reputation: 0
Status: Offline

SSH Timeout settings

Post by niklas » Fri Oct 22, 2021 7:44 am

Hi,
Trying to change the timeout settings for SSH so that users aren´t kicked out after 1h.
Did change below settings in file:
TCPIP$SSH_DEVICE:ÄTCPIP$SSH.SSH2ÅSSHD2_CONFIG.

IdleTimeOut 8h
KeepAlive yes


Any suggestions on what I´m missing in the configuration?

Full config-file:

Code: Select all

 ty TCPIP$SSH_DEVICE:ÄTCPIP$SSH.SSH2ÅSSHD2_CONFIG.
# SSH CONFIGURATION FILE FORMAT VERSION 1.1
# REGEX-SYNTAX egrep
# end of metaconfig
# (do not change above lines!)

#
# File name:      SSHD2_CONFIG.
# Product:        HP TCP/IP Services for OpenVMS
# Version:        V5.7-ECO5
#
# © Copyright 1976, 2009 Hewlett-Packard Development Company, L.P.
#

#
# ssh 3.2 server configuration file
#

## General

    HostKeyFile                         hostkey
    PublicHostKeyFile                   hostkey.pub
    RandomSeedFile                      random_seed
#   BannerMessageFile                   /etc/ssh2/ssh_banner_message
#   BannerMessageFile                   /etc/issue.net
    PrintSysAnnounce                    yes
    PrintSysWelcome                     yes
    PrintOnlySysAnnounceAfterLogin      no

#   SftpSyslogFacility                  LOCAL7
    SyslogFacility                      AUTH
#   SyslogFacility                      LOCAL7
#   QuietMode                           no
    VerboseMode                         no

## Network

    Port                                22
    ListenAddress                       any
    RequireReverseMapping               no
#   ResolveClientHostName               yes
    MaxBroadcastsPerSecond              0
#   MaxBroadcastsPerSecond              1
#   NoDelay                             no
    KeepAlive                           yes
#   MaxConnections                      50
#   MaxConnections                      0
# 0 == number of connections not limited

## Crypto

    Ciphers                             AnyCipher
#   Ciphers                             AnyStdCipher
#   Ciphers                             3des
# Following includes "none" 'cipher':
#   Ciphers                             AnyStd

    MACs                                AnyMAC
#   MACs                                AnyStdMAC
# Following includes "none" 'mac':
#   MACs                                AnyStd

#   RekeyIntervalSeconds                3600

## User

    CheckMail                           yes
    PrintMotd                           yes
#   StrictModes                         yes
# Specifies 1 hour
# (you can also use 'w' for week, 'd' for day, 'm' for minute, 's' for seconds)
    IdleTimeOut                         8h
# without specifier, the default number is in seconds
#   IdleTimeOut                         3600

    UserConfigDirectory                 "%Dssh2"
#   UserConfigDirectory                 "/etc/ssh2/auth/%U"
    AuthorizationFile                   authorization

# This variable is set here, because by default it's empty, and so no
# variables can be set. Because of that, we set a few common ones here.
    SettableEnvironmentVars             LANG,LC_(ALLöCOLLATEöCTYPEöMONETARYöNUME
RICöTIME),PATH,TERM,TZ

## Tunneling

    AllowX11Forwarding                  yes
    AllowTcpForwarding                  yes

#   AllowTcpForwardingForUsers          sjl, cowboynealÉslashdotÖ.org
#   DenyTcpForwardingForUsers           2ÄÄ:digit:ÅÅ*4,peelo

#   AllowTcpForwardingForGroups         privileged_tcp_forwarders
#   DenyTcpForwardingForGroups          coming_from_outside

# Local port forwardings to host 10.1.0.25 ports 143 and 25 are
# allowed for all users in group users.
# Note that forwardings using the name of this host will be allowed (if
# it can be resolved from the DNS).

#   ForwardACL allow local .*%users Öi10Ö.1Ö.0Ö.25%(143ö25)

# Local port forwardings requested exactly to host proxy.company.com
# port 8080 are allowed for users that have 's' as first character
# and belong to the group with group id 10:

#   ForwardACL allow local s.*%10 proxyÖ.companyÖ.com%8080

# Remote port forwarding is denied for all users to all hosts:
#   ForwardACL                          deny remote .* .*

## Authentication
## V5.5-03
## publickey and password are allowed by default
## (least interactive method should be usually attempted first)

# Valid options for all fields that take authentication method names
# or lists of them are:
#
#   hostbased
#   publickey
#   password
#   kerberos-2Éssh.com
#   kerberos-tgt-2Éssh.com
#   gssapi-with-mic

#   AllowedAuthentications              publickey, password
#   AllowedAuthentications              hostbased, publickey, password

#   RequiredAuthentications             publickey, password
#   LoginGraceTime                      600
#   AuthInteractiveFailureTimeout       2

#   HostbasedAuthForceClientHostnameDNSMatch no
#   UserKnownHosts                      yes
#
#   AuthPublicKey.MaxSize               0
#   AuthPublicKey.MinSize               0
    AllowAgentForwarding                yes

#   AuthKbdInt.NumOptional              0
#   AuthKbdInt.Optional                 pam, password
#   AuthKbdInt.Required                 password
#   AuthKbdInt.Retries                          3

#   PermitEmptyPasswords                no
    PasswordGuesses                     3

## Host restrictions

    AllowHosts                          localhost, *

## Next one matches with, for example, taulu.foobar.com, tuoli.com, but
## not tuoli1.com. Note that you have to input string "Ö." when you want it
## to match only a literal dot. You also have to escape "," when you
## want to use it in the pattern, because otherwise it is considered a list
## separator.

##  AllowHosts                          t..l.Ö..*

## The following matches any numerical IP-address (yes, it is cumbersome)

##  AllowHosts                          (ÄÄ:digit:ÅÅä1Ö,3åÖ.)ä3åÄÄ:digit:ÅÅä1Ö,3
å

## Same thing is achieved with using the special prefix "Öi" in a
## pattern. This means that the pattern is only used to match
 # IP-addresses.   Using the above example:
#
#   AllowHosts                          Öi.*
#
# You can probably see the difference between the two.
#
# Also, you can use subnet masks, by using prefix "Öm"
#
#   AllowHosts                          Öm127.0/8
#
#   AllowHosts                          Öm127.0.0.0/24
#
# would match localhost ("127.0.0.1").
#
#   DenyHosts                           evilÖ.org, aolÖ.com
#   AllowSHosts                         trustedÖ.hostÖ.org
#   DenySHosts                          notÖ.quiteÖ.trustedÖ.org
#   IgnoreRhosts                        no
#   IgnoreRootRHosts                    no
#
# (the above, if not set, is defaulted to the value of IgnoreRHosts)

## User restrictions

#   AllowUsers                          sj.*,sÄÄ:digit:ÅÅ*,s(jlöamza)
#   DenyUsers                           skuuppa,warezdude,31373
#   DenyUsers                           donÉuntrustedÖ.org
#   AllowGroups                         staff,users
#   DenyGroups                          guest,anonymous
    PermitRootLogin                     yes
#   PermitRootLogin                     nopwd

## Chrooted environment

#   ChRootGroups                        sftp,guest
#   ChRootUsers                         anonymous,ftp,guest

## SSH1 compatibility

#   Ssh1Compatibility                   no
#   Sshd1Path                           <set by configure by default>

# This is given as argument to sshd1 with "-f" if sshd2 is invoked
# with "-f", otherwise the default configuration for sshd1 is used.

#   Sshd1ConfigFile                     /etc/sshd_config_alternate

## Subsystem definitions

# Subsystems don't have defaults, so this is needed here (uncommented).

    subsystem-sftp                      /sys$system/tcpip$ssh_sftp-server2
# Also internal sftp-server subsystem can be used.

#   subsystem-sftp                      internal://tcpip$ssh_sftp-server2

## Subconfiguration

# There are no default subconfiguration files. When specified the last
# obtained keyword value will prevail. Note that the host specific files
# are read before the user specific files.

# Following matches (from) any host
#
#   HostSpecificConfig .* /etc/ssh2/subconfig/host_ext.example
#
# Following matches to subnet mask:
#
#   HostSpecificConfig Öm192.168.0.0/16 /etc/ssh2/subconfig/host_int.example
#
# Following matches to users from ssh.com that have two character long
# username or is sjl and belong to group wheel or wheelÄ0-9Å

#   UserSpecificConfig (..ösjl)%wheelÄÄ:digit:ÅÅ?ÉsshÖ.com /etc/ssh2/subconfig/u
ser.example

# Following matches to the user anonymous from any host

#   UserSpecificConfig anonymousÉ.* /etc/ssh2/subconfig/anonymous.example

## OpenVMS backward compatibility V5.5-04
#  Uncomment this line if needed to ensure compatibility of server
#  with OpenVMS ssh clients (V5.4 ECO 4 and earlier)
#  ProtocolVersionString "2.4.1 SSH Secure Shell OpenVMS V1.0"

## OpenVMS auditing and access control

#   V5.5-04: Correct default for AllowVmsLoginWithExpiredPw
#   AllowVmsLoginWithExpiredPw          yes
    AllowNonvmsLoginWithExpiredPw       yes
#   UserLoginLimit                      -1
#
#   V5.5-02 Change pubkey to publickey
#   AccountingAuthentications           publickey,password,hostbased
#   IntrusionAuthentications            publickey,password,hostbased
#   IntrusionIdentMethod                publickey,password,hostbased
#   IntrusionIdentSsh                   publickey,password,hostbased
#   LogfailAuthentications              publickey,password,hostbased
#
# V5.5-05
# Valid options are:
# none: no special action (default)
#   This option is also in effect if there is no value specified, or if
#   the variable is commented out.
# break: break lock (xauth -b)
# ignore: ignore lock (xauth -i)
# file: use alternate xauth filename (xauth -f äfilenameå)
#
# DecwXauthLockAction none
#
# V5.5-06
# If "yes" then the local user name is used in the intrusion record in place of
# SSH_xxxxxxxx where 'xxxxxxxx' is HEX IP address of remote host. This makes for
# more unique intrusion records and prevents the case of one intruder on a
# remote host locking out all users from that host. This field is especially
# useful in environments where multiple client hosts appear to be from the same
# remote IP address.
#
# If "no" then SSH_xxxxxxxx is used in the intrusion record.
#
# Default is "yes".
#
# This field is experimental. It may not work for public key and host based
# authentication.
#
# This field is not currently used for SSH logins from the TCP/IP Services for
# OpenVMS SSH client.
#
# IntrusionIdentLocalUser               yes

# TryKerberosPassword is a boolean that tells the SSH server, for password
# authentication, to try to validate the password with Kerberos before trying it
# against the SYSAUF.
#
# Default is "no".
#
# TryKerberosPassword                   no

# GssapiSendError is a Boolean that tells the SSH server, when a GSSAPI call
# incurs an error, to send to the client a textual message with information as
# to the cause of an error. This message is typically displayed to the SSH
# client user.
#
# Default is "no".
#
# GssapiSendError                       no

# GssapiSendErrtok is a Boolean that tells the SSH server to send a
# SSH_MSG_USERAUTH_GSSAPI_ERRTOK message to the client when a
# GSSAPI call incurs an error.
#
# Default is "no".
#
# GssapiSendErrtok                      no

# PTR 70-5-2911: Control access to sftp-server2
# This one restricts all access; no granularity at user level
# DisallowSftpServer no
# This one allows specification by user; use of regular expressions is
# as with DenyUsers.  Restriction by groups not yet implemented.
# SftpDenyUsers                           username1.*,username2
# Note that control of access through the identifier
# TCPIP$SSH_FILECOPY_DISALLOWED granted to the user is not controlled by
# either of these configuration variables.
>
>
Restarted SSH server.

But I still get a disconnect after 1h with the following error.

Code: Select all

ty TCPIP$SSH_DEVICE:ÄTCPIP$SSHÅTCPIP$SSH_RUN.LOG;579
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
Fri 22 10:12:39 INFORMATIONAL: Starting image in auxiliary server mode.
Fri 22 10:12:39 INFORMATIONAL: connection from "192.168.91.220"
Fri 22 10:12:40 NOTICE: User XXXXXXXXX local password accepted.
Fri 22 10:12:40 NOTICE: Password authentication for user XXXXXXXX accepted.
Fri 22 10:12:40 NOTICE: User XXXXXXXXX, coming from XXXXXXXXXXXXX, authen
ticated.
Fri 22 11:12:40 INFORMATIONAL: Local disconnected: Malformed first key exhange p
acket.
Fri 22 11:12:40 WARNING: Protocol error in local: 'Malformed first key exhange p
acket.'
TCPIP$SSH job terminated at 22-OCT-2021 11:12:40.29

Accounting information:
Buffered I/O count: 1079 Peak working set size: 18016
Direct I/O count: 166 Peak virtual size: 195856
Page faults: 922 Mounted volumes: 0
Charged CPU time: 0 00:00:00.10 Elapsed time: 0 01:00:00.88

Code: Select all


TCPIP SHOW SERVICE SSH/FULL

Service: SSH
                           State:     Enabled
Port:               22     Protocol:  TCP             Address:  0.0.0.0
Inactivity:          5     User_name: TCPIP$SSH       Process:  TCPIP$SSH
Limit:           10000     Active:        1           Peak:         1

File:         TCPIP$SYSTEM:TCPIP$SSH_RUN.COM
Flags:        Listen IPv6

Socket Opts:  Rcheck Scheck
 Receive:            0     Send:               0

Log Opts:     Acpt Actv Dactv Conn Error Exit Logi Logo Mdfy Rjct TimO Addr
 File:        TCPIP$SSH_DEVICE:ÄTCPIP$SSHÅTCPIP$SSH_RUN.LOG

Security
 Reject msg:  TCPIP SSH Connection refused

 Accept host: 0.0.0.0
 Accept netw: 0.0.0.0

//Niklas


debbee.west
VSI Expert
Contributor
Posts: 12
Joined: Mon Oct 07, 2019 11:10 am
Reputation: 0
Status: Offline

Re: SSH Timeout settings

Post by debbee.west » Tue Oct 26, 2021 9:24 am

Niklas –

It may not be ssh disconnecting you, but something in the middle. Can we try this?

$ pipe tcpip sysconfig -q inet | search sys$pipe keep

From one of my systems:

6X86$ $ pipe tcpip sysconfig -q inet | search sys$pipe keep
tcp_keepalive_default = 0
tcp_keepcnt = 8
tcp_keepidle = 14400
tcp_keepinit = 150
tcp_keepintvl = 150


We are actually most interested in this value – tcp_keepidle

You should set that to be something like 900. That would be 15 minutes.
$ tcpip sysconfig -r inet tcp_keepidle 900

Then restart ssh

$ @sys$manager:tcpip$ssh_shutdown
$@ sys$manager:Tcpip$ssh_startup

That would kick out all ssh users

Once you have this tested, if successful, lets make this a permanent change.

$ edit tcpip$etc:sysconfigtab.dat
Under the inet section, add this line:

tcp_keepidle=900

If you do not have an inet: section, please add it. This is how it looks in my file:

inet:
tcp_keepidle=900


Topic author
niklas
Contributor
Posts: 11
Joined: Fri Oct 22, 2021 7:31 am
Reputation: 0
Status: Offline

Re: SSH Timeout settings

Post by niklas » Wed Oct 27, 2021 3:27 am

Thanks Debbee for all your help!

The final thing that seems to have solved it was changing below value in SSH-config.

RekeyIntervalSeconds 51600

//Niklas


jonesd
Valued Contributor
Posts: 74
Joined: Mon Aug 09, 2021 7:59 pm
Reputation: 0
Status: Offline

Re: SSH Timeout settings

Post by jonesd » Fri Oct 29, 2021 10:18 am

niklas wrote:
Wed Oct 27, 2021 3:27 am
Thanks Debbee for all your help!

The final thing that seems to have solved it was changing below value in SSH-config.

RekeyIntervalSeconds 51600

//Niklas
Does setting it to zero disable the session re-keying altogether?

It would be nice if loginout.exe could support virtual terminals with using SSH so a broken connection for any reason could be recovered easily. Since SSH bypasses the normal interactive dialog for authenticating the user (i.e. PRC$M_NOPASSWORD), the logic that handles virtual terminal setup is skipped as well.

Post Reply