0

Currently I am trying to configure for a tunnel to stay alive aka. ssh.localhost.run after idling for a while.

I have do some research and find out this type of ~/.ssh/config file like this:

Host *
     ServerAliveInterval 60
     ServerAliveCountMax 5

But after a while (usually 1 hour) PuTTY will respond "Signature from Server's host key is invalid." and old tunnel terminated, I have to make a new tunnel manually, I still can use the old key, but tunnels link (domain) is different.

https://i.sstatic.net/aN4g1.png

My question:

Is there any way that I can keep this tunnel valid (never expires) or any way to resolve that "Signature from Server's host key is invalid"?

Improve this question
2
  • How do your settings compare with these ones?
    – harrymc
    Commented Sep 30, 2022 at 10:49
  • I have not checked it, I will see it when I got back to my office, BUT this is to keep the session alive, can it keep the same tunnel alive or just create new one after a specified time ?
    – TriNguyen
    Commented Oct 1, 2022 at 16:36

1 Answer 1

Reset to default
1

This isn't idle expiry – the response is caused by a periodic re-handshake that most SSH clients and servers initiate every few hours to exchange new keys. The process is very similar to what happens during the initial connection, including re-verifying the server's "host key" (as a side effect, not as a goal), and apparently your server is doing the re-handshake incorrectly.

In other words, it's a problem with the custom SSH server software that your tunnel is using. (Though, first make sure you have the latest version of PuTTY (i.e. 0.77), in case it happens to be a client bug.)

PuTTY lets you adjust or disable the key re-exchange parameters in "Connection > SSH > Kex". The default time interval is 60 minutes and the default data limit is 1 GB transferred – PuTTY will start a rekey every time either of those limits is hit.

With modern ciphers, you can safely increase the rekey periods (hourly rekey was meant for ancient 64-bit or even 56-bit ciphers), e.g. time-based rekey could be set to a week or even disabled entirely, while data-based rekey could be set to something like 1024GB or disabled as well.

However, this only adjusts client-initiated rekey – it cannot prevent the server from requesting a rekey.

Finally, ~/.ssh/config is for OpenSSH – it is not read by PuTTY. The same settings exist in PuTTY but have to be configured through its own settings screens.

Improve this answer
2
  • hi, thank you for your help, now I have understand the concepts of re-handshake, however, when I try to adjust Kex to 1 min to check the change, it doesn't do any change tho (I'm using localhost on my own PC), is there any settings that I should look into ?
    – TriNguyen
    Commented Sep 30, 2022 at 8:09
  • for clearer explaination, I have adjusted Kex to 1 min and run ssh.localhost.run again, the Domain still on, thus no "Signature from Server's host key is invalid" pops up, BUT after 1 min I turn off session and re-opened sessions again, I get a new tunnel.
    – TriNguyen
    Commented Sep 30, 2022 at 8:12

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .