From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 3/3] SSH: do not send spoofable TCP keep alive messages
Date: Tue, 19 Apr 2022 10:40:35 +0000
Message-ID: <2b766d1a-dc4b-cf44-5b43-8fe6789b953a@ipfire.org>
In-Reply-To: <B85C088F-5ADB-4C1A-8EE7-3F953AB0663E@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5755258017204202074=="
List-Id: <development.lists.ipfire.org>

--===============5755258017204202074==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Michael,

thanks for your reply.

> Hello,
>=20
> Thanks for this.
>=20
> I would personally like a longer timeout than 60 seconds.
>=20
> If a DSL modem loses sync, or DFS kicks in and the WiFi has to change chann=
els, 60 seconds is not a long time. There cannot be any security reason for k=
eeping it that low, so I would like to ask if there is any other reason that =
I missed.

Um, actually, this patch features a timeout of five minutes (10 seconds * 30 =
keep-alive's =3D 300
seconds =3D 5 minutes) before a dangling SSH connection is being terminated. =
Or did I misunderstand
you?

Thanks, and best regards,
Peter M=C3=BCller

>=20
> -Michael
>=20
>> On 18 Apr 2022, at 21:40, Peter M=C3=BCller <peter.mueller(a)ipfire.org> w=
rote:
>>
>> By default, both SSH server and client rely on TCP-based keep alive
>> messages to detect broken sessions, which can be spoofed rather easily
>> in order to keep a broken session opened (and vice versa).
>>
>> Since we rely on SSH-based keep alive messages, which are not vulnerable
>> to this kind of tampering, there is no need to double-check connections
>> via TCP keep alive as well.
>>
>> This patch thereof disables using TCP keep alive for both SSH client and
>> server scenario. For usability reasons, a timeout of 5 minutes (10
>> seconds * 30 keep alive messages =3D 300 seconds) will be used for both
>> client and server configuration, as 60 seconds were found to be too
>> short for unstable connectivity scenarios.

This was precisely your concern about the first attempt of this patch, which
is why I raised this to 300 seconds instead of 60.

>>
>> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>> ---
>> config/ssh/ssh_config  | 12 ++++++++----
>> config/ssh/sshd_config |  8 +++++---
>> 2 files changed, 13 insertions(+), 7 deletions(-)
>>
>> diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
>> index ee0954d5c..85c069dda 100644
>> --- a/config/ssh/ssh_config
>> +++ b/config/ssh/ssh_config
>> @@ -5,7 +5,7 @@
>>
>> # Set some basic hardening options for all connections
>> Host *
>> -        # Disable Roaming as it is known to be vulnerable
>> +        # Disable undocumented roaming feature as it is known to be vulne=
rable
>>         UseRoaming no
>>
>>         # Only use secure crypto algorithms
>> @@ -13,15 +13,19 @@ Host *
>>         Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,a=
es128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
>>         MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.c=
om,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.=
com
>>
>> -        # Always visualise server host keys (but helps to identify key ba=
sed MITM attacks)
>> +        # Always visualise server host keys (helps to identify key based =
MITM attacks)
>>         VisualHostKey yes
>>
>>         # Use SSHFP (might work on some up-to-date networks) to look up ho=
st keys
>>         VerifyHostKeyDNS yes
>>
>> -        # send keep-alive messages to connected server to avoid broken co=
nnections
>> +        # Send SSH-based keep alive messages to connected server to avoid=
 broken connections
>>         ServerAliveInterval 10
>> -        ServerAliveCountMax 6
>> +        ServerAliveCountMax 30
>> +
>> +	# Disable TCP keep alive messages since they can be spoofed and we have =
SSH-based
>> +	# keep alive messages enabled; there is no need to do things twice here
>> +	TCPKeepAlive no
>>
>>         # Ensure only allowed authentication methods are used
>>         PreferredAuthentications publickey,keyboard-interactive,password
>> diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
>> index 456556540..76c9b3eb1 100644
>> --- a/config/ssh/sshd_config
>> +++ b/config/ssh/sshd_config
>> @@ -46,11 +46,13 @@ AllowTcpForwarding no
>> AllowAgentForwarding no
>> PermitOpen none
>>
>> -# Detect broken sessions by sending keep-alive messages to clients via SS=
H connection
>> +# Send SSH-based keep alive messages to connected clients to avoid broken=
 connections
>> ClientAliveInterval 10
>> +ClientAliveCountMax 30
>>
>> -# Close unresponsive SSH sessions which fail to answer keep-alive
>> -ClientAliveCountMax 6
>> +# Since TCP keep alive messages can be spoofed and we have the SSH-based =
already,
>> +# there is no need for this to be enabled as well
>> +TCPKeepAlive no
>>
>> # Add support for SFTP
>> Subsystem	sftp	/usr/lib/openssh/sftp-server
>> --=20
>> 2.34.1
>=20

--===============5755258017204202074==--