
How to kill an unresponsive SSH session - oarmstrong
http://www.laszlo.nu/post/553591402/how-to-kill-an-unresponsive-ssh-session
======
jerf
Read the SSH man pages every so often, even if you think you know how to use
it. There's a lot of features in there. Don't miss the "AUTHORIZED_KEYS FILE
FORMAT" in sshd's man page for the uber-cool "command='command'" options for
authorized keys (restricts a given key to just be able to run a certain
command, very useful). See also SSH's port forwarding, -D, learn how to use
ssh-agent, and "man ssh_config".

~~~
voltagex_
the command= syntax is (was?) how gitolite works - I'm not sure what the
difference between that and a jail is, though.

~~~
txutxu
The command= simply changes "what" gets executed when the user logs in.

A jail (ChrootDirectory in ssh) changes "where" the user gets when logs in.

The most creative thing I've do with command= was a "select" menu in bash
(with some actions in the shudoers).

Other interesting tool I've discovered recently is rrsync. I'm doing the
backups of my systems isolated with this. It's distributed with the rsync
sources, you put it like:

    
    
        command="rrsync /path/to/chroot/the/remote/rsync/client/"

~~~
stock_toaster
I used to use rsnapshot with command= set to a custom script that would let a
few things through (rsync being one of them), by instrospecting
`$SSH_ORIGINAL_COMMAND`.

------
spindritf
Or use mosh[1] on top of SSH and stop worrying about that stuff.

It works much better over high-latency links (mobile). It is not bothered by
saturated links, tolerates IP changes and losing the underlying connection
like when you suspend your laptop and take it elsewhere.

I now have mosh connect to several servers in tabs when I run gnome-terminal
the first time, and only disconnect on reboot. I also run a mosh-capable Irssi
Connectbot fork on the phone[2].

It's a massive improvement, fixing many of the little annoyances of ssh.

[1] [http://mosh.mit.edu/](http://mosh.mit.edu/)

[2] [http://dan.drown.org/android/mosh/](http://dan.drown.org/android/mosh/)

~~~
oijaf888
Has anyone audited mosh's security model/encryption? Just curious since ssh is
pretty tried and tested.

~~~
qznc
Authentication and initial key exchange is via ssh, so nothing to audit here.
Afterwards data is sent AES-encrypted, which relatively simple.

~~~
darkarmani
> Afterwards data is sent AES-encrypted, which relatively simple.

It's simple to encrypt using AES, but that doesn't mean it is simple to
encrypt in a secure way (i'm looking at you ECB mode). There are too many ways
to accidentally mess up.

------
Sharlin
The default escape character ~ does not work if the tilde key in your keyboard
layout is a dead key [1], like it is in many European layouts. It can be
changed via the EscapeChar config option or the -e command line parameter. It
seems, though, that not just any old character is accepted - I tried to use §,
which, in the Finnish layout, is in the same physical position as ~ is in the
US version, but ssh complains about "bad escape character".

EDIT - I suppose it must be an ASCII character, which is not an entirely
unreasonable requirement.

[1]
[http://en.wikipedia.org/wiki/Dead_key](http://en.wikipedia.org/wiki/Dead_key)

~~~
cnvogel
It works, you'll just have to type

    
    
      <tilde> <space> .

~~~
Sharlin
Weird - I did try that before writing the comment and it didn't work. May
depend on the terminal or something.

------
Nursie
enter-tilde-dot

It is useful, yes. Here's another thing I picked up last week - how do you
reboot a remote linux box that's somehow lost its root drive but you still
have a shell open (because you left ssh running on another machine)?

    
    
      echo 1 > /proc/sys/kernel/sysrq
      echo b > /proc/sysrq-trigger

------
verbatim
<enter>~Ctrl-Z will suspend the ssh session, too.

I've also found it useful to do <enter>~C - then you can configure port
forwarding without having to open a new ssh session.

(~C opens a command line, enter "help" for available commands.)

------
epo
Please don't let HN become a substitute for RTFM. This should be known by all
SSH users who have skimmed the man page. Fair enough as a blog post but for
this trivia to get 46 points so far is deeply depressing.

Maybe I should write a blog post about the use of CTRL-Z in the shell and post
that here, should get me Kilo-karma points if this is anything to go by.

~~~
davidw
When you have a toolset that includes, but is not limited to:

* Ruby

* Rails

* Postgres

* C

* Erlang

* Emacs

* Bash/Zsh/whatever

* Linux Kernel

* GNU C library

* Postfix

and on and on and on, these kinds of tricks are bound to be useful to someone
who is not a complete expert with whichever system is being discussed.

Also, realistically speaking, they are far less prevalent than nakedly
political articles lately, which _do_ weight on the quality of the site.

~~~
hhw
This is like not knowing the return or exit function, and is also used for
telnet or serial console connections. If knowledge is so shallow on a
particular tool, it should not count as being part of the toolset. There's
nothing more basic or essential to SSH than connecting and disconnecting. And
it's right there on the man page, not exactly a hidden feature. This is more
beginner level knowledge, maybe novice if being very very generous, but
nowhere near expert level.

~~~
davidw
Connecting: type ssh and the hostname. Disconnecting: type exit or ctrl-d or
whatever on the remote end. That's enough for many people.

For a group of people as large as HN, there are bound to be many people who
are experts in one thing, and marginal with others, so articles like this are
likely to appeal to them, and be useful.

~~~
hhw
I would agree if it were for some more obscure yet useful feature, but this is
one of the basics, that's clearly documented. This should not be useful for
anyone who's ever read the man page, and anyone who's used ssh should have
read the man page at least once. That so many people apparently haven't, in
what's supposed to be highly technical community, is a very disappointing sign
of intellectual indolence.

~~~
davidw
On my system, I ran this:

    
    
        nice man -l -Tdvi man*/* | wc 
    

And got

3416771 6700199 122007116

At more than 6 million words, that's approximately 10 War and Peace's. And of
course in terms of documentation, that's only man pages, which doesn't cover
all the stuff that's in other formats like info or html.

You cannot be an expert in everything: I knew about that command for closing
ssh, but frankly it is not something I use because it's easier to just close
the rxvt and be done with it. I have zillions of other things to occupy my
brain.

I'd also argue that in terms of ssh, since this function is so easily
accomplished in other ways, this is really just handy triva. Much more useful
to know about are all the tunneling things, as they are not necessarily
obvious, and can be extremely useful.

~~~
hhw
I'm hardly advocating reading every single man page; just the man pages for
things you actually use. And 10x War and Peace's is hardly an extreme amount
of reading to become a knowledgeable systems administrator. That would
probably be akin to two semesters of 5 courses each to become a systems
administrator; I think most community college or vocational school programs
for systems administration require 2 years, and wouldn't teach you nearly as
much.

In any event, I'm not taking the position that casual *nix users should be
reading every single man page. Just for the essentials like ssh, cp/mv, ls,
man itself, etc. You do not need to be an expert to read a few man pages on
utilities you often use. Everyone should RTFM, at least for the relevant bits,
no matter what level you're at. Anyone who found the initial post useful would
also find reading the man page for ssh useful. Thus, they should have read it.
That's not at all suggesting that they need to become an expert.

The ~. key sequence is used in pretty much any console type application, not
just ssh, so it's quite useful to know. If you do any work with a serial
console i.e. configuring network devices, pdus, even some servers, etc., then
it's pretty useful for ending a session as there's no TCP connection to close
and take you back to the local console on your terminal emulator. If you're
working on the actual local console and not in a full blown GUI on a system
without virtual consoles, there may be no other way to close the serial
console session on some platforms (notably man different OS'es running on
Sparc64's as well as not on Solaris at all until recently).

Regardless, it's generally less effort to type ~. than to close and reopen a
window/tab in your terminal emulator of choice. The time spent to read the man
page would inevitably be made up by a few clicks saved here and there
throughout a long career. It would have taken less time than to make multiple
posts in this thread.

------
adaml_623
Another useful trick to remember if you're using Putty and you ever
accidentally hit Ctrl-S and find that you've frozen the terminal.

Just type Ctrl-Q and you will unfreeze the connection.

Credit due to: [http://raamdev.com/2007/recovering-from-ctrls-in-
putty/](http://raamdev.com/2007/recovering-from-ctrls-in-putty/)

~~~
ojbyrne
This is not news to anyone (in tech) over 40.

[https://en.wikipedia.org/wiki/Software_flow_control](https://en.wikipedia.org/wiki/Software_flow_control)

~~~
delinka
But the world is full of neophytes, re-inventors, etc. It's good to remind
people periodically and educate the next generation.

~~~
nkurz
And besides, the older I get (41) the more I can use frequent reminders of the
things I used to know. It's disturbing the number of times I've searched the
web for answers, and discovered an answer I wrote myself. And I hadn't known
this could be easily turned off with 'stty' as suggested in another answer. Or
maybe I did once know that?

~~~
delinka
The following quite becomes more relevant every year: "I've forgotten more
than you'll ever know!" \--Insulting Old Fogey

------
hahainternet
If you happen to be a few sessions deep, ~~ will send ~ to the next session
along. A casual ~~~~~~~~~~~. or so later and everything is wonderful again!

~~~
makomk
Though you have to be nested really deeply to do ~~~~~~~~~~~. - unlike some
other escaping schemes, it only requires one extra tilde for every layer of
nesting rather than doubling each time.

~~~
hahainternet
The worst problem is trying to figure out just how many layers deep you are. I
was being a little ridiculous though.

~~~
zeckalpha
"So, a totem. It's a small object, potentially heavy, something you can have
on you all the time..."

~~~
voltagex_
I wonder... I reckon you could implement a totem inside GNU screen that kept
track of how many ssh-sessions deep you were.

~~~
duskwuff
Not to be confused with:
[https://projects.gnome.org/totem/](https://projects.gnome.org/totem/)

~~~
voltagex_
Oops, yes. I was speaking about the Inception reference.

------
oarmstrong
In case anyone is having difficulty with the font used on the page, the escape
sequence is: newline followed by tilde (~) and then period (.).

------
tankenmate
The thing that amazes me about this is that people don't realise that this
comes from BSD 4.2 rsh released in 1983.

~~~
revscat
Why does that amaze you? That is a pretty trivial piece of knowledge.
Interesting, though.

------
microcolonel
I'm surprised/apalled at how many people upvote this, considering how this
place is supposed to be "hacker news"...

~~~
lobo_tuerto
Sometimes I upvote articles where the comments are good, present new
information or just have better information than the article itself.

------
jlkinsel
I'm a little surprised this is on HN? To me this is the equivalent of a blog
post about using %d with printf.

Not complaining, just a little surprised something so novice would get
attention...

~~~
recursive
You should post it if you think it will gain traction. Not everyone is
experienced with C.

------
kdazzle
Another great solution is to just use the ServerAliveInterval option.

~~~
XorNot
I can never decide how I want to set this. Most sites recommend 180 seconds or
so, but with the default ServerAliveCountMax set to 3, this is 9 minutes
before a dead terminal is actually disconnected.

I've started to set it really really low personally - like, 5 seconds, so the
connection drops after 15 seconds. I'm tempted to go down to 1, but I have a
lot of long running sessions and I start to worry about the traffic counts.

But, after all this there's still a problem: none of it seems to work with any
of the connection mux'ing options - once the background session dies, I still
have to manually kill it to get anything working again.

------
kbenson
While I've frequently used this to kill connections, my favorite thing I've
done with it is to list existing and dynamically add new forwarding ports
through SSH.

------
spudlyo
Hitting '.' at a prompt used to be a common idiom for exiting a program. I
first saw it when I was a kid working on an HP-3000 system where the system
programming language was BASIC and all programs followed this convention.
Don't know where it came from originally, but you can still see it in places
like rsh/SSH etc.

~~~
smutticus
And SMTP where a single "." followed by CR ends the session.

------
gbog
Does it work too with ctrl-\ ? This has been my process killer recently and
it's powerful (and the only way I know to get out of xtail.)

------
Nick_C
On a side note, does anyone know what ~B actually does? Does it send a SIGINT
to the remote terminal? What does ssh mean by the phrase "send a BREAK to a
remote system"?

I've tried to use it without success to kill a runaway listing of megabytes of
scrolling text, but frantically hitting ctrl-C seems to work much better.

~~~
thristian
In the beginning, there was RS232, where each character was a fixed number of
bits, optionally with a stop bit and a parity bit. If the sender transmitted
too many 0 bits to represent a valid character, that protocol failure was
called a 'break', and some receiving equipment would detect such a failure and
do something about it, like reset itself to a known-good state. Thus, a
'break' was occasionally a useful thing to send, so sending equipment would
often have a special keystroke to cause a 'break' condition.

The Unix 'tty' subsystem was basically designed to support simple serial
terminals, and so it had a bunch of behaviour designed to interoperate with
the pre-existing 'break' conventions. If a Unix system's serial port received
a break, Unix would (optionally) send any processes running via that
connection a SIGINT, to represent the 'reset to known-good state' behaviour
(this is controlled by the stty command's 'brkint' flag). Also, if the user's
terminal didn't provide a specific 'send a break signal' command, Unix could
be configured to send a break signal when it received some particular
character (^C by default; this is controlled by stty's 'intr' setting).

Of course, nobody uses physical RS232 terminals anymore, but for compatibility
reasons the Unix tty API lives on, and the "psuedotty" implementation used for
things like terminal emulators maintains compatibility. ssh is basically a
tool for exporting the tty API over the network, and so for compatibility it
too must have a way to transmit the information "pretend a break condition has
occurred on the RS232 connection we're pretending to use."

To summarise: yes, unless you've messed with the stty command, ~B will
probably result in a SIGINT. Ctrl-C is probably more reliable since you can
hit it much faster than you can type <Enter>~B, but ~B is still useful if your
terminal is in 'raw' mode, where ^C is not converted to SIGINT (for example,
if you're running an app that wants to bind ^C to some other function).

See also:

    
    
        https://en.wikipedia.org/wiki/Universal_asynchronous_receiver/transmitter#Break_condition
        stty(1)
        tcsendbreak(3)

------
bostonvaulter2
This usually doesn't work for me. Perhaps it's because my sessions are usually
multiplexed via "ControlMaster auto"?

------
anuraj
[Enter] Shift+~ .

