Forum Discussion

hc_andy_35682's avatar
hc_andy_35682
Icon for Nimbostratus rankNimbostratus
Jan 27, 2010

iRule help to set indefinite SSH login session

Thanks to this post I've created an iRule to handle ssh sessions using "IP::idle_timeout"

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=32109

 

 

when CLIENT_ACCEPTED {

 

switch [TCP::local_port] {

 

"22" {

 

IP::idle_timeout 600

 

}

 

}

 

}

 

 

Is there an INDEFINITE idle_timeout value that keeps the session from timing out? I've set it to ZERO but this then STOPS me from ssh-ing into the box.

 

 

Thanks.

 

 

Andy
application delivery
dev
devops
iRules

4 Replies

Sort By
  • L4L7_53191's avatar
    L4L7_53191
    Icon for Nimbostratus rankNimbostratus
    Jan 27, 2010
    I'd use a custom tcp profile for this task - you can set the timeout to indefinite.

     

    -Matt
  • hc_andy_35682's avatar
    hc_andy_35682
    Icon for Nimbostratus rankNimbostratus
    Jan 27, 2010
    Thanks Matt.

     

     

    I thought using an iRule would be the better way to go because then I could just apply the time out for SSH sessions and use the default fastL4 time out for other TCP related protocols.

     

     

    Is there no way to set the timeout to INDEFINITE using IP::idle_timeout ???

     

     

    Thanks.

     

     

    Andy
  • L4L7_53191's avatar
    L4L7_53191
    Icon for Nimbostratus rankNimbostratus
    Jan 27, 2010
    I'm not sure how to do this in a rule. It's real easy to setup a port 22 virtual server though, and I'd suggest going that route - it's cleaner, to me at least. It sounds like you've got a forwarder set up that handles multiple protocols. If this is the case, you can carve out that SSH traffic by adding a 0.0.0.0:22 virtual and applying the custom tcp timeout behavior to that virtual.

     

     

    -Matt
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 27, 2010
    Setting the idle timeout to 0 in the rule probably means immediate, not indefinite. You could try setting it to the max acceptable value instead (maybe 2147483647?).

     

     

    But I agree with Matt--it's much better to create a separate VIP and custom FastL4 profile for this.

     

     

    Aaron