15 minutes > On 10 Apr 2021, at 13:57, Peter Müller wrote: > > Hello Michael, > > thanks for your reply. > > Which timeout value would you suggest then? > > Thanks, and best regards, > Peter Müller > >> Hi, >> >>> On 2 Apr 2021, at 20:27, Peter Müller wrote: >>> >>> Hello Michael, >>> >>> thank you for your reply. >>> >>> Context-based, I guess you meant "something more useful", didn't you? :-) >> >> Seems so. I struggle a lot with auto-correct. >> >>> Well, if you like, we can leave 60 seconds here, but I would not go for a much >>> longer timeout. If a network issue takes longer than a minute, requiring a re-login >>> looks reasonable to me (it does for 30 seconds also, but hey ;-) ). >> >> No, it kills whatever I am running and a 60 second break happens very quickly with a DSL reconnect or rebooting an access point somewhere. Why is that supposed to break the SSH session, too? >> >>> >>> Thanks, and best regards, >>> Peter Müller >>> >>> >>>> Hello, >>>> >>>>> On 1 Feb 2021, at 18:06, Peter Müller wrote: >>>>> >>>>> By default, both SSH server and client rely on TCP-based keep alive >>>>> messages to detect broken sessions, which can be spoofed rather easily >>>>> in order to keep a broken session opened (and vice versa). >>>>> >>>>> Since we rely on SSH-based keep alive messages, which are not vulnerable >>>>> to this kind of tampering, there is no need to double-check connections >>>>> via TCP keep alive as well. >>>>> >>>>> This patch thereof disables using TCP keep alive for both SSH client and >>>>> server scenario. Further, {Client,Server}AliveCountMax default to 3, >>>>> which is sufficient (3 * 10 sec. = broken SSH connections die after 30 >>>>> seconds), so we can omit that option. 60 seconds won't have any >>>>> advantage here. >>>> >>>> Is there any considerable downside of increasing this to something more useless? >>>> >>>> I constantly run into broken SSH sessions because of smaller network hiccups (WiFi, VPNs, my crappy ISP, etc.). It would be useful to hold the connection for a little bit longer so that I can spend more time on fixing stuff instead of logging back in. >>>> >>>> -Michael >>>> >>>>> >>>>> Signed-off-by: Peter Müller >>>>> --- >>>>> config/ssh/ssh_config | 11 +++++++---- >>>>> config/ssh/sshd_config | 7 ++++--- >>>>> 2 files changed, 11 insertions(+), 7 deletions(-) >>>>> >>>>> diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config >>>>> index 2e2ee60c3..ab0967086 100644 >>>>> --- a/config/ssh/ssh_config >>>>> +++ b/config/ssh/ssh_config >>>>> @@ -5,7 +5,7 @@ >>>>> >>>>> # Set some basic hardening options for all connections >>>>> Host * >>>>> - # Disable Roaming as it is known to be vulnerable >>>>> + # Disable undocumented roaming feature as it is known to be vulnerable >>>>> UseRoaming no >>>>> >>>>> # Only use secure crypto algorithms >>>>> @@ -13,15 +13,18 @@ Host * >>>>> Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr >>>>> MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com >>>>> >>>>> - # Always visualise server host keys (but helps to identify key based MITM attacks) >>>>> + # Always visualise server host keys (helps to identify key based MITM attacks) >>>>> VisualHostKey yes >>>>> >>>>> # Use SSHFP (might work on some up-to-date networks) to look up host keys >>>>> VerifyHostKeyDNS yes >>>>> >>>>> - # send keep-alive messages to connected server to avoid broken connections >>>>> + # Send SSH-based keep alive messages to connected server to avoid broken connections >>>>> ServerAliveInterval 10 >>>>> - ServerAliveCountMax 6 >>>>> + >>>>> + # Disable TCP keep alive messages since they can be spoofed and we have SSH-based >>>>> + # keep alive messages enabled; there is no need to do things twice here >>>>> + TCPKeepAlive no >>>>> >>>>> # Ensure only allowed authentication methods are used >>>>> PreferredAuthentications publickey,keyboard-interactive,password >>>>> diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config >>>>> index bea5cee53..a9eb5ff14 100644 >>>>> --- a/config/ssh/sshd_config >>>>> +++ b/config/ssh/sshd_config >>>>> @@ -47,11 +47,12 @@ AllowTcpForwarding no >>>>> AllowAgentForwarding no >>>>> PermitOpen none >>>>> >>>>> -# Detect broken sessions by sending keep-alive messages to clients via SSH connection >>>>> +# Send SSH-based keep alive messages every 10 seconds >>>>> ClientAliveInterval 10 >>>>> >>>>> -# Close unresponsive SSH sessions which fail to answer keep-alive >>>>> -ClientAliveCountMax 6 >>>>> +# Since TCP keep alive messages can be spoofed and we have the SSH-based already, >>>>> +# there is no need for this to be enabled as well >>>>> +TCPKeepAlive no >>>>> >>>>> # Add support for SFTP >>>>> Subsystem sftp /usr/lib/openssh/sftp-server >>>>> -- >>>>> 2.26.2 >>>> >>