How to enable SSH client keepalive

Idle SSH sessions often disappear when a firewall, NAT device, or VPN path removes a quiet connection before the remote shell is finished. Enabling client keepalive makes the local SSH client send periodic protocol-level checks so an otherwise healthy session is less likely to be dropped just because it sat idle for a while.

The OpenSSH client reads command-line options first, then ~/.ssh/config, then /etc/ssh/ssh_config, and uses the first value it gets for each setting. A Host block matches the host name or alias used on the ssh command line, so host-specific entries should appear before broader defaults such as Host *. ServerAliveInterval sends an encrypted check only after the server has been silent for the chosen number of seconds, while ServerAliveCountMax limits how many missed replies are allowed before the client closes the session.

Current OpenSSH clients still leave ServerAliveInterval disabled by default even though TCPKeepAlive remains enabled. That means idle-session protection does not start until a keepalive interval is configured. Check the merged settings with ssh -G before reconnecting, and if the session still drops at the same fixed timeout, the limit is likely being enforced by the server or a network policy instead of the client.

Related: How to prevent SSH session timeouts
Related: How to show SSH client configuration
Related: How to monitor active connections to an SSH server

Steps to enable SSH client keepalive:

  1. Create the per-user SSH configuration directory if it does not already exist, then restrict it to the current account. 
    $ mkdir -p ~/.ssh
$ chmod 700 ~/.ssh

    OpenSSH can ignore per-user configuration or key files when the directory is writable by other users.

  2. Open the per-user client configuration file in a text editor. 
    $ nano ~/.ssh/config

    Use /etc/ssh/ssh_config only when the same keepalive policy must apply to every user on the machine.

  3. Add or update a Host block for the SSH destination that loses idle sessions. 
    Host host.example.net
  ServerAliveInterval 60
  ServerAliveCountMax 3

    Replace host.example.net with the host name, IP address, or alias used on the ssh command line.

    With ServerAliveInterval 60 and ServerAliveCountMax 3, the client closes the session after about three minutes if the server stops answering keepalive requests.

  4. Save the file after the keepalive block is in place.

    Use Host * instead of a named destination only when every SSH connection from this client should inherit the same keepalive values.

  5. Show the merged client configuration for the target host and confirm that the keepalive values are active. 
    $ ssh -G host.example.net
##### snipped #####
hostname host.example.net
tcpkeepalive yes
serveralivecountmax 3
serveraliveinterval 60
##### snipped #####

    ssh -G prints the effective configuration after evaluating the matching Host and Match blocks, then exits.

    If serveraliveinterval still shows 0, the wrong host name matched or a broader block took precedence earlier in the file.

  6. Connect using the configured host entry and leave the session idle longer than the previous failure window to confirm that the client now keeps it alive. 
    $ ssh host.example.net

    Client keepalive cannot override a server policy that deliberately closes idle sessions after a fixed limit. If the connection still drops at the same exact timeout, inspect the server-side timeout settings instead.