Resilient Connections for SSH and TLS

Disconnection of an SSH shell or a secure application session due to network outages or travel is a familiar problem to many Internet users today. In this project, we have extended the SSH and TLS protocols to support resilient connections that can span several sequential TCP connections. The extensions allow sessions to survive both changes in IP addresses and long periods of disconnection. Our design emphasizes deployability in real-world environments, and addresses many of the challenges identified in previous work, including assumptions made about network middleboxes such as firewalls and NATs. We have also implemented the extensions in the OpenSSH and PureTLS software packages and tested them in practice.


The SSH extensions are available as a patch for OpenSSH 4.2p1. However, please do note the experimental state of the patch. Once patched, the OpenSSH daemon understands suspendgracetime configuration key, which defines the maximum time (in seconds) to wait for reconnection before killing any processes. Zero value disables the resilient support and is the default. A patched OpenSSH client attempts to reconnect with increasing intervals after the underlying TCP connection breaks. Sending USR2 signal to a client process enforces the client to reconnect immediately.

The PureTLS patch for TLS extensions is available on request.


T. Koponen, P. Eronen, M. Särelä, Resilient Connections for SSH and TLS, in Proc. of USENIX Annual Technical Conference 2006, Boston, MA, May-June 2006. PDF

Valid HTML