Red Hat Bugzilla – Bug 111761
Suggest adding the watchdog patch to OpenSSH in Red Hat
Last modified: 2007-11-30 17:06:59 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Description of problem:
Im unlucky enough to be working behind a Cisco PIX firewall, and every
time a ssh connection is idle for a certain amount of time that PIX
firewall tears down the connection.
Not only is my session killed, but it leaves a hanging sshd on the
remote machine (that eventually does time out, but its still an
I patched OpenSSH to use the watchdog patch on my client box and set
the Heartbeat rate to one pr. minute. Now the PIX does not kill my
connections. I even still have them in the morning when returning to
work. Life is good now :)
The patch is very well done. the client (ssh) sends a SSH_MSG_IGNORE
message every "Heartbeat" seconds and pr. the SSH standard, all ssh
(sshd's) servers must accept and ignore those messages, so no changes
are needed in ssh servers for this feature. OpenSSH already shipping
with from Red Hat already handles the SSH_MSG_IGNORE messges correctly.
The patch also has a second feature (hence the name) and thats a
watchdog feature for the server. It's function is to detect when
clients have gone away and terminate the connection (and the sshd
child process that had it).
New config directives are:
and in /etc/ssh/sshd_config:
N = seconds. If 0 the feature is disabled.
The patch can be found here:
And I suggest it be included in everything from Fedora Core to the
Advanced server. It can be shipped with the new directives defaulting
to 0 so no change is apparent in functionality unless the user chooses
to activate them.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Not a bug, nothing to reproduce.
I documented the Watchdog config directives incorrectly.
(or Watchdogtimeout1 N if you only want to afffect SSH1 protocol)
Internal RFE bug #112191 entered - will be considered for future releases.
Please follow up with this request with the original package
maintainer for OpenSSH. If it is not changed upstream, it will not be
something we can include in RHEL.