From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 3/3] SSH: do not send spoofable TCP keep alive messages
Date: Tue, 19 Apr 2022 11:41:43 +0100
Message-ID: <9A17937C-A4B7-49CF-B866-44992A1D15FF@ipfire.org>
In-Reply-To: <2b766d1a-dc4b-cf44-5b43-8fe6789b953a@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0572731998327259479=="
List-Id: <development.lists.ipfire.org>

--===============0572731998327259479==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Oh, maybe I misread your first email. Sorry. 5 minutes > 60s. Cool.

> On 19 Apr 2022, at 11:40, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wr=
ote:
>=20
> Hello Michael,
>=20
> thanks for your reply.
>=20
>> Hello,
>>=20
>> Thanks for this.
>>=20
>> I would personally like a longer timeout than 60 seconds.
>>=20
>> If a DSL modem loses sync, or DFS kicks in and the WiFi has to change chan=
nels, 60 seconds is not a long time. There cannot be any security reason for =
keeping it that low, so I would like to ask if there is any other reason that=
 I missed.
>=20
> Um, actually, this patch features a timeout of five minutes (10 seconds * 3=
0 keep-alive's =3D 300
> seconds =3D 5 minutes) before a dangling SSH connection is being terminated=
. Or did I misunderstand
> you?
>=20
> Thanks, and best regards,
> Peter M=C3=BCller
>=20
>>=20
>> -Michael
>>=20
>>> On 18 Apr 2022, at 21:40, Peter M=C3=BCller <peter.mueller(a)ipfire.org> =
wrote:
>>>=20
>>> By default, both SSH server and client rely on TCP-based keep alive
>>> messages to detect broken sessions, which can be spoofed rather easily
>>> in order to keep a broken session opened (and vice versa).
>>>=20
>>> Since we rely on SSH-based keep alive messages, which are not vulnerable
>>> to this kind of tampering, there is no need to double-check connections
>>> via TCP keep alive as well.
>>>=20
>>> This patch thereof disables using TCP keep alive for both SSH client and
>>> server scenario. For usability reasons, a timeout of 5 minutes (10
>>> seconds * 30 keep alive messages =3D 300 seconds) will be used for both
>>> client and server configuration, as 60 seconds were found to be too
>>> short for unstable connectivity scenarios.
>=20
> This was precisely your concern about the first attempt of this patch, which
> is why I raised this to 300 seconds instead of 60.
>=20
>>>=20
>>> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>>> ---
>>> config/ssh/ssh_config | 12 ++++++++----
>>> config/ssh/sshd_config | 8 +++++---
>>> 2 files changed, 13 insertions(+), 7 deletions(-)
>>>=20
>>> diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
>>> index ee0954d5c..85c069dda 100644
>>> --- a/config/ssh/ssh_config
>>> +++ b/config/ssh/ssh_config
>>> @@ -5,7 +5,7 @@
>>>=20
>>> # Set some basic hardening options for all connections
>>> Host *
>>> - # Disable Roaming as it is known to be vulnerable
>>> + # Disable undocumented roaming feature as it is known to be vulnerable
>>> UseRoaming no
>>>=20
>>> # Only use secure crypto algorithms
>>> @@ -13,15 +13,19 @@ Host *
>>> Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes128-g=
cm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
>>> MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac=
-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com
>>>=20
>>> - # Always visualise server host keys (but helps to identify key based MI=
TM attacks)
>>> + # Always visualise server host keys (helps to identify key based MITM a=
ttacks)
>>> VisualHostKey yes
>>>=20
>>> # Use SSHFP (might work on some up-to-date networks) to look up host keys
>>> VerifyHostKeyDNS yes
>>>=20
>>> - # send keep-alive messages to connected server to avoid broken connecti=
ons
>>> + # Send SSH-based keep alive messages to connected server to avoid broke=
n connections
>>> ServerAliveInterval 10
>>> - ServerAliveCountMax 6
>>> + ServerAliveCountMax 30
>>> +
>>> +	# Disable TCP keep alive messages since they can be spoofed and we have=
 SSH-based
>>> +	# keep alive messages enabled; there is no need to do things twice here
>>> +	TCPKeepAlive no
>>>=20
>>> # Ensure only allowed authentication methods are used
>>> PreferredAuthentications publickey,keyboard-interactive,password
>>> diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
>>> index 456556540..76c9b3eb1 100644
>>> --- a/config/ssh/sshd_config
>>> +++ b/config/ssh/sshd_config
>>> @@ -46,11 +46,13 @@ AllowTcpForwarding no
>>> AllowAgentForwarding no
>>> PermitOpen none
>>>=20
>>> -# Detect broken sessions by sending keep-alive messages to clients via S=
SH connection
>>> +# Send SSH-based keep alive messages to connected clients to avoid broke=
n connections
>>> ClientAliveInterval 10
>>> +ClientAliveCountMax 30
>>>=20
>>> -# Close unresponsive SSH sessions which fail to answer keep-alive
>>> -ClientAliveCountMax 6
>>> +# Since TCP keep alive messages can be spoofed and we have the SSH-based=
 already,
>>> +# there is no need for this to be enabled as well
>>> +TCPKeepAlive no
>>>=20
>>> # Add support for SFTP
>>> Subsystem	sftp	/usr/lib/openssh/sftp-server
>>> --=20
>>> 2.34.1


--===============0572731998327259479==--