From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] SSH: do not send spoofable TCP keep alive messages
Date: Sat, 10 Apr 2021 14:14:02 +0100
Message-ID: <EBF023CF-D18C-489A-BDEC-28D1006892EB@ipfire.org>
In-Reply-To: <ff3636d8-43b4-7b6b-b79d-01fadaf82a3a@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8606760416582371378=="
List-Id: <development.lists.ipfire.org>

--===============8606760416582371378==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

15 minutes

> On 10 Apr 2021, at 13:57, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wr=
ote:
>=20
> Hello Michael,
>=20
> thanks for your reply.
>=20
> Which timeout value would you suggest then?
>=20
> Thanks, and best regards,
> Peter M=C3=BCller
>=20
>> Hi,
>>=20
>>> On 2 Apr 2021, at 20:27, Peter M=C3=BCller <peter.mueller(a)ipfire.org> w=
rote:
>>>=20
>>> Hello Michael,
>>>=20
>>> thank you for your reply.
>>>=20
>>> Context-based, I guess you meant "something more useful", didn't you? :-)
>>=20
>> Seems so. I struggle a lot with auto-correct.
>>=20
>>> Well, if you like, we can leave 60 seconds here, but I would not go for a=
 much
>>> longer timeout. If a network issue takes longer than a minute, requiring =
a re-login
>>> looks reasonable to me (it does for 30 seconds also, but hey ;-) ).
>>=20
>> No, it kills whatever I am running and a 60 second break happens very quic=
kly with a DSL reconnect or rebooting an access point somewhere. Why is that =
supposed to break the SSH session, too?
>>=20
>>>=20
>>> Thanks, and best regards,
>>> Peter M=C3=BCller
>>>=20
>>>=20
>>>> Hello,
>>>>=20
>>>>> On 1 Feb 2021, at 18:06, Peter M=C3=BCller <peter.mueller(a)ipfire.org>=
 wrote:
>>>>>=20
>>>>> By default, both SSH server and client rely on TCP-based keep alive
>>>>> messages to detect broken sessions, which can be spoofed rather easily
>>>>> in order to keep a broken session opened (and vice versa).
>>>>>=20
>>>>> Since we rely on SSH-based keep alive messages, which are not vulnerable
>>>>> to this kind of tampering, there is no need to double-check connections
>>>>> via TCP keep alive as well.
>>>>>=20
>>>>> This patch thereof disables using TCP keep alive for both SSH client and
>>>>> server scenario. Further, {Client,Server}AliveCountMax default to 3,
>>>>> which is sufficient (3 * 10 sec. =3D broken SSH connections die after 30
>>>>> seconds), so we can omit that option. 60 seconds won't have any
>>>>> advantage here.
>>>>=20
>>>> Is there any considerable downside of increasing this to something more =
useless?
>>>>=20
>>>> I constantly run into broken SSH sessions because of smaller network hic=
cups (WiFi, VPNs, my crappy ISP, etc.). It would be useful to hold the connec=
tion for a little bit longer so that I can spend more time on fixing stuff in=
stead of logging back in.
>>>>=20
>>>> -Michael
>>>>=20
>>>>>=20
>>>>> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>>>>> ---
>>>>> config/ssh/ssh_config  | 11 +++++++----
>>>>> config/ssh/sshd_config |  7 ++++---
>>>>> 2 files changed, 11 insertions(+), 7 deletions(-)
>>>>>=20
>>>>> diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
>>>>> index 2e2ee60c3..ab0967086 100644
>>>>> --- a/config/ssh/ssh_config
>>>>> +++ b/config/ssh/ssh_config
>>>>> @@ -5,7 +5,7 @@
>>>>>=20
>>>>> # Set some basic hardening options for all connections
>>>>> Host *
>>>>> -        # Disable Roaming as it is known to be vulnerable
>>>>> +        # Disable undocumented roaming feature as it is known to be vu=
lnerable
>>>>>      UseRoaming no
>>>>>=20
>>>>>      # Only use secure crypto algorithms
>>>>> @@ -13,15 +13,18 @@ Host *
>>>>>      Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,a=
es128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
>>>>>      MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.c=
om,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.=
com
>>>>>=20
>>>>> -        # Always visualise server host keys (but helps to identify key=
 based MITM attacks)
>>>>> +        # Always visualise server host keys (helps to identify key bas=
ed MITM attacks)
>>>>>      VisualHostKey yes
>>>>>=20
>>>>>      # Use SSHFP (might work on some up-to-date networks) to look up ho=
st keys
>>>>>      VerifyHostKeyDNS yes
>>>>>=20
>>>>> -        # send keep-alive messages to connected server to avoid broken=
 connections
>>>>> +        # Send SSH-based keep alive messages to connected server to av=
oid broken connections
>>>>>      ServerAliveInterval 10
>>>>> -        ServerAliveCountMax 6
>>>>> +
>>>>> +	# Disable TCP keep alive messages since they can be spoofed and we ha=
ve SSH-based
>>>>> +	# keep alive messages enabled; there is no need to do things twice he=
re
>>>>> +	TCPKeepAlive no
>>>>>=20
>>>>>      # Ensure only allowed authentication methods are used
>>>>>      PreferredAuthentications publickey,keyboard-interactive,password
>>>>> diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
>>>>> index bea5cee53..a9eb5ff14 100644
>>>>> --- a/config/ssh/sshd_config
>>>>> +++ b/config/ssh/sshd_config
>>>>> @@ -47,11 +47,12 @@ AllowTcpForwarding no
>>>>> AllowAgentForwarding no
>>>>> PermitOpen none
>>>>>=20
>>>>> -# Detect broken sessions by sending keep-alive messages to clients via=
 SSH connection
>>>>> +# Send SSH-based keep alive messages every 10 seconds
>>>>> ClientAliveInterval 10
>>>>>=20
>>>>> -# Close unresponsive SSH sessions which fail to answer keep-alive
>>>>> -ClientAliveCountMax 6
>>>>> +# Since TCP keep alive messages can be spoofed and we have the SSH-bas=
ed already,
>>>>> +# there is no need for this to be enabled as well
>>>>> +TCPKeepAlive no
>>>>>=20
>>>>> # Add support for SFTP
>>>>> Subsystem	sftp	/usr/lib/openssh/sftp-server
>>>>> --=20
>>>>> 2.26.2
>>>>=20
>>=20


--===============8606760416582371378==--