How can I break out of ssh when it locks?

Normal keys are forwarded over the ssh session, so none of those will work. Instead, use the escape sequences. To kill the current session hit subsequently Enter ↵, ~, ..

(Have in mind that in international keyboards were ~ is set to be a composing character you have to hit it twice: Enter ↵, ~, ~, .

More of these escape sequences can be listed with Enter ↵, ~, ?:

Supported escape sequences:
     ~.   - terminate connection (and any multiplexed sessions)
     ~B   - send a BREAK to the remote system
     ~C   - open a command line
     ~R   - request rekey
     ~V/v - decrease/increase verbosity (LogLevel)
     ~^Z  - suspend ssh
     ~#   - list forwarded connections
     ~&   - background ssh (when waiting for connections to terminate)
     ~?   - this message
     ~~   - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)

You can close the list of Escape sequences by hitting enter.

Notice that because hitting ~~ causes ssh to send the ~ instead of intercepting it, you can address N nested ssh connections by hitting ~ N times. (This only applies to ~s that directly follow an enter.) That is to say that enter~~~~~. terminates an ssh session 5 layers deep and keeps the other 4 intact.


You may also want to setup application-level keep-alives for SSH to prevent it from freezing on connection issues. My ~/.ssh/config contains this:

Host *
ServerAliveInterval 15
# ServerAliveCountMax 3

This makes ssh client send application-level keep-alives every 15 seconds. Whenever three of them fail consecutively (the default of ServerAliveCountMax), the client considers the connection as hung and closes it.

Opposed to the other option TCPKeepAlive, this is checked within the encrypted channel and is not spoofable.


It is being noted that those keep-alives also help to, uhm, keep long-idling connections alive, i.e. prevent you from having half-closed tcp sessions hanging for hours untouched.

I highly recommend turning this feature on if you run into this regularly, but you should also know about the slight security risk it may impose. A known-plaintext attack might become easier if the attacker knows the interval and contents of an idle connection. This might be the reasons for why it isn't enabled by default.


As noted in geekosaur's answer, the escape sequence ~. will terminate the connection.

The full list of escape sequences and what they do can be displayed by typing ~?:

Supported escape sequences:
  ~.  - terminate connection (and any multiplexed sessions)
  ~B  - send a BREAK to the remote system
  ~C  - open a command line
  ~R  - Request rekey (SSH protocol 2 only)
  ~^Z - suspend ssh
  ~#  - list forwarded connections
  ~&  - background ssh (when waiting for connections to terminate)
  ~?  - this message
  ~~  - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)

Tags:

Ssh