[PATCH] SSH: do not send spoofable TCP keep alive messages

[PATCH] SSH: do not send spoofable TCP keep alive messages

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 3305 bytes --]

By default, both SSH server and client rely on TCP-based keep alive
messages to detect broken sessions, which can be spoofed rather easily
in order to keep a broken session opened (and vice versa).

Since we rely on SSH-based keep alive messages, which are not vulnerable
to this kind of tampering, there is no need to double-check connections
via TCP keep alive as well.

This patch thereof disables using TCP keep alive for both SSH client and
server scenario. Further, {Client,Server}AliveCountMax default to 3,
which is sufficient (3 * 10 sec. = broken SSH connections die after 30
seconds), so we can omit that option. 60 seconds won't have any
advantage here.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/ssh/ssh_config  | 11 +++++++----
 config/ssh/sshd_config |  7 ++++---
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
index 2e2ee60c3..ab0967086 100644
--- a/config/ssh/ssh_config
+++ b/config/ssh/ssh_config
@@ -5,7 +5,7 @@
 
 # Set some basic hardening options for all connections
 Host *
-        # Disable Roaming as it is known to be vulnerable
+        # Disable undocumented roaming feature as it is known to be vulnerable
         UseRoaming no
 
         # Only use secure crypto algorithms
@@ -13,15 +13,18 @@ Host *
         Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
         MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com
 
-        # Always visualise server host keys (but helps to identify key based MITM attacks)
+        # Always visualise server host keys (helps to identify key based MITM attacks)
         VisualHostKey yes
 
         # Use SSHFP (might work on some up-to-date networks) to look up host keys
         VerifyHostKeyDNS yes
 
-        # send keep-alive messages to connected server to avoid broken connections
+        # Send SSH-based keep alive messages to connected server to avoid broken connections
         ServerAliveInterval 10
-        ServerAliveCountMax 6
+
+	# Disable TCP keep alive messages since they can be spoofed and we have SSH-based
+	# keep alive messages enabled; there is no need to do things twice here
+	TCPKeepAlive no
 
         # Ensure only allowed authentication methods are used
         PreferredAuthentications publickey,keyboard-interactive,password
diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
index bea5cee53..a9eb5ff14 100644
--- a/config/ssh/sshd_config
+++ b/config/ssh/sshd_config
@@ -47,11 +47,12 @@ AllowTcpForwarding no
 AllowAgentForwarding no
 PermitOpen none
 
-# Detect broken sessions by sending keep-alive messages to clients via SSH connection
+# Send SSH-based keep alive messages every 10 seconds
 ClientAliveInterval 10
 
-# Close unresponsive SSH sessions which fail to answer keep-alive
-ClientAliveCountMax 6
+# Since TCP keep alive messages can be spoofed and we have the SSH-based already,
+# there is no need for this to be enabled as well
+TCPKeepAlive no
 
 # Add support for SFTP
 Subsystem	sftp	/usr/lib/openssh/sftp-server
-- 
2.26.2

Re: [PATCH] SSH: do not send spoofable TCP keep alive messages

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3877 bytes --]

Hello,

> On 1 Feb 2021, at 18:06, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> By default, both SSH server and client rely on TCP-based keep alive
> messages to detect broken sessions, which can be spoofed rather easily
> in order to keep a broken session opened (and vice versa).
> 
> Since we rely on SSH-based keep alive messages, which are not vulnerable
> to this kind of tampering, there is no need to double-check connections
> via TCP keep alive as well.
> 
> This patch thereof disables using TCP keep alive for both SSH client and
> server scenario. Further, {Client,Server}AliveCountMax default to 3,
> which is sufficient (3 * 10 sec. = broken SSH connections die after 30
> seconds), so we can omit that option. 60 seconds won't have any
> advantage here.

Is there any considerable downside of increasing this to something more useless?

I constantly run into broken SSH sessions because of smaller network hiccups (WiFi, VPNs, my crappy ISP, etc.). It would be useful to hold the connection for a little bit longer so that I can spend more time on fixing stuff instead of logging back in.

-Michael

> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/ssh/ssh_config  | 11 +++++++----
> config/ssh/sshd_config |  7 ++++---
> 2 files changed, 11 insertions(+), 7 deletions(-)
> 
> diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
> index 2e2ee60c3..ab0967086 100644
> --- a/config/ssh/ssh_config
> +++ b/config/ssh/ssh_config
> @@ -5,7 +5,7 @@
> 
> # Set some basic hardening options for all connections
> Host *
> -        # Disable Roaming as it is known to be vulnerable
> +        # Disable undocumented roaming feature as it is known to be vulnerable
>         UseRoaming no
> 
>         # Only use secure crypto algorithms
> @@ -13,15 +13,18 @@ Host *
>         Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
>         MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com
> 
> -        # Always visualise server host keys (but helps to identify key based MITM attacks)
> +        # Always visualise server host keys (helps to identify key based MITM attacks)
>         VisualHostKey yes
> 
>         # Use SSHFP (might work on some up-to-date networks) to look up host keys
>         VerifyHostKeyDNS yes
> 
> -        # send keep-alive messages to connected server to avoid broken connections
> +        # Send SSH-based keep alive messages to connected server to avoid broken connections
>         ServerAliveInterval 10
> -        ServerAliveCountMax 6
> +
> +	# Disable TCP keep alive messages since they can be spoofed and we have SSH-based
> +	# keep alive messages enabled; there is no need to do things twice here
> +	TCPKeepAlive no
> 
>         # Ensure only allowed authentication methods are used
>         PreferredAuthentications publickey,keyboard-interactive,password
> diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
> index bea5cee53..a9eb5ff14 100644
> --- a/config/ssh/sshd_config
> +++ b/config/ssh/sshd_config
> @@ -47,11 +47,12 @@ AllowTcpForwarding no
> AllowAgentForwarding no
> PermitOpen none
> 
> -# Detect broken sessions by sending keep-alive messages to clients via SSH connection
> +# Send SSH-based keep alive messages every 10 seconds
> ClientAliveInterval 10
> 
> -# Close unresponsive SSH sessions which fail to answer keep-alive
> -ClientAliveCountMax 6
> +# Since TCP keep alive messages can be spoofed and we have the SSH-based already,
> +# there is no need for this to be enabled as well
> +TCPKeepAlive no
> 
> # Add support for SFTP
> Subsystem	sftp	/usr/lib/openssh/sftp-server
> -- 
> 2.26.2

Re: [PATCH] SSH: do not send spoofable TCP keep alive messages

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 4368 bytes --]

Hello Michael,

thank you for your reply.

Context-based, I guess you meant "something more useful", didn't you? :-)

Well, if you like, we can leave 60 seconds here, but I would not go for a much
longer timeout. If a network issue takes longer than a minute, requiring a re-login
looks reasonable to me (it does for 30 seconds also, but hey ;-) ).

Thanks, and best regards,
Peter Müller


> Hello,
> 
>> On 1 Feb 2021, at 18:06, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> By default, both SSH server and client rely on TCP-based keep alive
>> messages to detect broken sessions, which can be spoofed rather easily
>> in order to keep a broken session opened (and vice versa).
>>
>> Since we rely on SSH-based keep alive messages, which are not vulnerable
>> to this kind of tampering, there is no need to double-check connections
>> via TCP keep alive as well.
>>
>> This patch thereof disables using TCP keep alive for both SSH client and
>> server scenario. Further, {Client,Server}AliveCountMax default to 3,
>> which is sufficient (3 * 10 sec. = broken SSH connections die after 30
>> seconds), so we can omit that option. 60 seconds won't have any
>> advantage here.
> 
> Is there any considerable downside of increasing this to something more useless?
> 
> I constantly run into broken SSH sessions because of smaller network hiccups (WiFi, VPNs, my crappy ISP, etc.). It would be useful to hold the connection for a little bit longer so that I can spend more time on fixing stuff instead of logging back in.
> 
> -Michael
> 
>>
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> ---
>> config/ssh/ssh_config  | 11 +++++++----
>> config/ssh/sshd_config |  7 ++++---
>> 2 files changed, 11 insertions(+), 7 deletions(-)
>>
>> diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
>> index 2e2ee60c3..ab0967086 100644
>> --- a/config/ssh/ssh_config
>> +++ b/config/ssh/ssh_config
>> @@ -5,7 +5,7 @@
>>
>> # Set some basic hardening options for all connections
>> Host *
>> -        # Disable Roaming as it is known to be vulnerable
>> +        # Disable undocumented roaming feature as it is known to be vulnerable
>>         UseRoaming no
>>
>>         # Only use secure crypto algorithms
>> @@ -13,15 +13,18 @@ Host *
>>         Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
>>         MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com
>>
>> -        # Always visualise server host keys (but helps to identify key based MITM attacks)
>> +        # Always visualise server host keys (helps to identify key based MITM attacks)
>>         VisualHostKey yes
>>
>>         # Use SSHFP (might work on some up-to-date networks) to look up host keys
>>         VerifyHostKeyDNS yes
>>
>> -        # send keep-alive messages to connected server to avoid broken connections
>> +        # Send SSH-based keep alive messages to connected server to avoid broken connections
>>         ServerAliveInterval 10
>> -        ServerAliveCountMax 6
>> +
>> +	# Disable TCP keep alive messages since they can be spoofed and we have SSH-based
>> +	# keep alive messages enabled; there is no need to do things twice here
>> +	TCPKeepAlive no
>>
>>         # Ensure only allowed authentication methods are used
>>         PreferredAuthentications publickey,keyboard-interactive,password
>> diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
>> index bea5cee53..a9eb5ff14 100644
>> --- a/config/ssh/sshd_config
>> +++ b/config/ssh/sshd_config
>> @@ -47,11 +47,12 @@ AllowTcpForwarding no
>> AllowAgentForwarding no
>> PermitOpen none
>>
>> -# Detect broken sessions by sending keep-alive messages to clients via SSH connection
>> +# Send SSH-based keep alive messages every 10 seconds
>> ClientAliveInterval 10
>>
>> -# Close unresponsive SSH sessions which fail to answer keep-alive
>> -ClientAliveCountMax 6
>> +# Since TCP keep alive messages can be spoofed and we have the SSH-based already,
>> +# there is no need for this to be enabled as well
>> +TCPKeepAlive no
>>
>> # Add support for SFTP
>> Subsystem	sftp	/usr/lib/openssh/sftp-server
>> -- 
>> 2.26.2
> 

Re: [PATCH] SSH: do not send spoofable TCP keep alive messages

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 4823 bytes --]

Hi,

> On 2 Apr 2021, at 20:27, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello Michael,
> 
> thank you for your reply.
> 
> Context-based, I guess you meant "something more useful", didn't you? :-)

Seems so. I struggle a lot with auto-correct.

> Well, if you like, we can leave 60 seconds here, but I would not go for a much
> longer timeout. If a network issue takes longer than a minute, requiring a re-login
> looks reasonable to me (it does for 30 seconds also, but hey ;-) ).

No, it kills whatever I am running and a 60 second break happens very quickly with a DSL reconnect or rebooting an access point somewhere. Why is that supposed to break the SSH session, too?

> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hello,
>> 
>>> On 1 Feb 2021, at 18:06, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>> 
>>> By default, both SSH server and client rely on TCP-based keep alive
>>> messages to detect broken sessions, which can be spoofed rather easily
>>> in order to keep a broken session opened (and vice versa).
>>> 
>>> Since we rely on SSH-based keep alive messages, which are not vulnerable
>>> to this kind of tampering, there is no need to double-check connections
>>> via TCP keep alive as well.
>>> 
>>> This patch thereof disables using TCP keep alive for both SSH client and
>>> server scenario. Further, {Client,Server}AliveCountMax default to 3,
>>> which is sufficient (3 * 10 sec. = broken SSH connections die after 30
>>> seconds), so we can omit that option. 60 seconds won't have any
>>> advantage here.
>> 
>> Is there any considerable downside of increasing this to something more useless?
>> 
>> I constantly run into broken SSH sessions because of smaller network hiccups (WiFi, VPNs, my crappy ISP, etc.). It would be useful to hold the connection for a little bit longer so that I can spend more time on fixing stuff instead of logging back in.
>> 
>> -Michael
>> 
>>> 
>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>> ---
>>> config/ssh/ssh_config  | 11 +++++++----
>>> config/ssh/sshd_config |  7 ++++---
>>> 2 files changed, 11 insertions(+), 7 deletions(-)
>>> 
>>> diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
>>> index 2e2ee60c3..ab0967086 100644
>>> --- a/config/ssh/ssh_config
>>> +++ b/config/ssh/ssh_config
>>> @@ -5,7 +5,7 @@
>>> 
>>> # Set some basic hardening options for all connections
>>> Host *
>>> -        # Disable Roaming as it is known to be vulnerable
>>> +        # Disable undocumented roaming feature as it is known to be vulnerable
>>>        UseRoaming no
>>> 
>>>        # Only use secure crypto algorithms
>>> @@ -13,15 +13,18 @@ Host *
>>>        Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
>>>        MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com
>>> 
>>> -        # Always visualise server host keys (but helps to identify key based MITM attacks)
>>> +        # Always visualise server host keys (helps to identify key based MITM attacks)
>>>        VisualHostKey yes
>>> 
>>>        # Use SSHFP (might work on some up-to-date networks) to look up host keys
>>>        VerifyHostKeyDNS yes
>>> 
>>> -        # send keep-alive messages to connected server to avoid broken connections
>>> +        # Send SSH-based keep alive messages to connected server to avoid broken connections
>>>        ServerAliveInterval 10
>>> -        ServerAliveCountMax 6
>>> +
>>> +	# Disable TCP keep alive messages since they can be spoofed and we have SSH-based
>>> +	# keep alive messages enabled; there is no need to do things twice here
>>> +	TCPKeepAlive no
>>> 
>>>        # Ensure only allowed authentication methods are used
>>>        PreferredAuthentications publickey,keyboard-interactive,password
>>> diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
>>> index bea5cee53..a9eb5ff14 100644
>>> --- a/config/ssh/sshd_config
>>> +++ b/config/ssh/sshd_config
>>> @@ -47,11 +47,12 @@ AllowTcpForwarding no
>>> AllowAgentForwarding no
>>> PermitOpen none
>>> 
>>> -# Detect broken sessions by sending keep-alive messages to clients via SSH connection
>>> +# Send SSH-based keep alive messages every 10 seconds
>>> ClientAliveInterval 10
>>> 
>>> -# Close unresponsive SSH sessions which fail to answer keep-alive
>>> -ClientAliveCountMax 6
>>> +# Since TCP keep alive messages can be spoofed and we have the SSH-based already,
>>> +# there is no need for this to be enabled as well
>>> +TCPKeepAlive no
>>> 
>>> # Add support for SFTP
>>> Subsystem	sftp	/usr/lib/openssh/sftp-server
>>> -- 
>>> 2.26.2
>> 

Re: [PATCH] SSH: do not send spoofable TCP keep alive messages

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 5054 bytes --]

Hello Michael,

thanks for your reply.

Which timeout value would you suggest then?

Thanks, and best regards,
Peter Müller

> Hi,
> 
>> On 2 Apr 2021, at 20:27, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> Hello Michael,
>>
>> thank you for your reply.
>>
>> Context-based, I guess you meant "something more useful", didn't you? :-)
> 
> Seems so. I struggle a lot with auto-correct.
> 
>> Well, if you like, we can leave 60 seconds here, but I would not go for a much
>> longer timeout. If a network issue takes longer than a minute, requiring a re-login
>> looks reasonable to me (it does for 30 seconds also, but hey ;-) ).
> 
> No, it kills whatever I am running and a 60 second break happens very quickly with a DSL reconnect or rebooting an access point somewhere. Why is that supposed to break the SSH session, too?
> 
>>
>> Thanks, and best regards,
>> Peter Müller
>>
>>
>>> Hello,
>>>
>>>> On 1 Feb 2021, at 18:06, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>>
>>>> By default, both SSH server and client rely on TCP-based keep alive
>>>> messages to detect broken sessions, which can be spoofed rather easily
>>>> in order to keep a broken session opened (and vice versa).
>>>>
>>>> Since we rely on SSH-based keep alive messages, which are not vulnerable
>>>> to this kind of tampering, there is no need to double-check connections
>>>> via TCP keep alive as well.
>>>>
>>>> This patch thereof disables using TCP keep alive for both SSH client and
>>>> server scenario. Further, {Client,Server}AliveCountMax default to 3,
>>>> which is sufficient (3 * 10 sec. = broken SSH connections die after 30
>>>> seconds), so we can omit that option. 60 seconds won't have any
>>>> advantage here.
>>>
>>> Is there any considerable downside of increasing this to something more useless?
>>>
>>> I constantly run into broken SSH sessions because of smaller network hiccups (WiFi, VPNs, my crappy ISP, etc.). It would be useful to hold the connection for a little bit longer so that I can spend more time on fixing stuff instead of logging back in.
>>>
>>> -Michael
>>>
>>>>
>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>> ---
>>>> config/ssh/ssh_config  | 11 +++++++----
>>>> config/ssh/sshd_config |  7 ++++---
>>>> 2 files changed, 11 insertions(+), 7 deletions(-)
>>>>
>>>> diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
>>>> index 2e2ee60c3..ab0967086 100644
>>>> --- a/config/ssh/ssh_config
>>>> +++ b/config/ssh/ssh_config
>>>> @@ -5,7 +5,7 @@
>>>>
>>>> # Set some basic hardening options for all connections
>>>> Host *
>>>> -        # Disable Roaming as it is known to be vulnerable
>>>> +        # Disable undocumented roaming feature as it is known to be vulnerable
>>>>        UseRoaming no
>>>>
>>>>        # Only use secure crypto algorithms
>>>> @@ -13,15 +13,18 @@ Host *
>>>>        Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
>>>>        MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com
>>>>
>>>> -        # Always visualise server host keys (but helps to identify key based MITM attacks)
>>>> +        # Always visualise server host keys (helps to identify key based MITM attacks)
>>>>        VisualHostKey yes
>>>>
>>>>        # Use SSHFP (might work on some up-to-date networks) to look up host keys
>>>>        VerifyHostKeyDNS yes
>>>>
>>>> -        # send keep-alive messages to connected server to avoid broken connections
>>>> +        # Send SSH-based keep alive messages to connected server to avoid broken connections
>>>>        ServerAliveInterval 10
>>>> -        ServerAliveCountMax 6
>>>> +
>>>> +	# Disable TCP keep alive messages since they can be spoofed and we have SSH-based
>>>> +	# keep alive messages enabled; there is no need to do things twice here
>>>> +	TCPKeepAlive no
>>>>
>>>>        # Ensure only allowed authentication methods are used
>>>>        PreferredAuthentications publickey,keyboard-interactive,password
>>>> diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
>>>> index bea5cee53..a9eb5ff14 100644
>>>> --- a/config/ssh/sshd_config
>>>> +++ b/config/ssh/sshd_config
>>>> @@ -47,11 +47,12 @@ AllowTcpForwarding no
>>>> AllowAgentForwarding no
>>>> PermitOpen none
>>>>
>>>> -# Detect broken sessions by sending keep-alive messages to clients via SSH connection
>>>> +# Send SSH-based keep alive messages every 10 seconds
>>>> ClientAliveInterval 10
>>>>
>>>> -# Close unresponsive SSH sessions which fail to answer keep-alive
>>>> -ClientAliveCountMax 6
>>>> +# Since TCP keep alive messages can be spoofed and we have the SSH-based already,
>>>> +# there is no need for this to be enabled as well
>>>> +TCPKeepAlive no
>>>>
>>>> # Add support for SFTP
>>>> Subsystem	sftp	/usr/lib/openssh/sftp-server
>>>> -- 
>>>> 2.26.2
>>>
> 

Re: [PATCH] SSH: do not send spoofable TCP keep alive messages

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 5300 bytes --]

15 minutes

> On 10 Apr 2021, at 13:57, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello Michael,
> 
> thanks for your reply.
> 
> Which timeout value would you suggest then?
> 
> Thanks, and best regards,
> Peter Müller
> 
>> Hi,
>> 
>>> On 2 Apr 2021, at 20:27, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>> 
>>> Hello Michael,
>>> 
>>> thank you for your reply.
>>> 
>>> Context-based, I guess you meant "something more useful", didn't you? :-)
>> 
>> Seems so. I struggle a lot with auto-correct.
>> 
>>> Well, if you like, we can leave 60 seconds here, but I would not go for a much
>>> longer timeout. If a network issue takes longer than a minute, requiring a re-login
>>> looks reasonable to me (it does for 30 seconds also, but hey ;-) ).
>> 
>> No, it kills whatever I am running and a 60 second break happens very quickly with a DSL reconnect or rebooting an access point somewhere. Why is that supposed to break the SSH session, too?
>> 
>>> 
>>> Thanks, and best regards,
>>> Peter Müller
>>> 
>>> 
>>>> Hello,
>>>> 
>>>>> On 1 Feb 2021, at 18:06, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>>> 
>>>>> By default, both SSH server and client rely on TCP-based keep alive
>>>>> messages to detect broken sessions, which can be spoofed rather easily
>>>>> in order to keep a broken session opened (and vice versa).
>>>>> 
>>>>> Since we rely on SSH-based keep alive messages, which are not vulnerable
>>>>> to this kind of tampering, there is no need to double-check connections
>>>>> via TCP keep alive as well.
>>>>> 
>>>>> This patch thereof disables using TCP keep alive for both SSH client and
>>>>> server scenario. Further, {Client,Server}AliveCountMax default to 3,
>>>>> which is sufficient (3 * 10 sec. = broken SSH connections die after 30
>>>>> seconds), so we can omit that option. 60 seconds won't have any
>>>>> advantage here.
>>>> 
>>>> Is there any considerable downside of increasing this to something more useless?
>>>> 
>>>> I constantly run into broken SSH sessions because of smaller network hiccups (WiFi, VPNs, my crappy ISP, etc.). It would be useful to hold the connection for a little bit longer so that I can spend more time on fixing stuff instead of logging back in.
>>>> 
>>>> -Michael
>>>> 
>>>>> 
>>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>>> ---
>>>>> config/ssh/ssh_config  | 11 +++++++----
>>>>> config/ssh/sshd_config |  7 ++++---
>>>>> 2 files changed, 11 insertions(+), 7 deletions(-)
>>>>> 
>>>>> diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
>>>>> index 2e2ee60c3..ab0967086 100644
>>>>> --- a/config/ssh/ssh_config
>>>>> +++ b/config/ssh/ssh_config
>>>>> @@ -5,7 +5,7 @@
>>>>> 
>>>>> # Set some basic hardening options for all connections
>>>>> Host *
>>>>> -        # Disable Roaming as it is known to be vulnerable
>>>>> +        # Disable undocumented roaming feature as it is known to be vulnerable
>>>>>       UseRoaming no
>>>>> 
>>>>>       # Only use secure crypto algorithms
>>>>> @@ -13,15 +13,18 @@ Host *
>>>>>       Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
>>>>>       MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com
>>>>> 
>>>>> -        # Always visualise server host keys (but helps to identify key based MITM attacks)
>>>>> +        # Always visualise server host keys (helps to identify key based MITM attacks)
>>>>>       VisualHostKey yes
>>>>> 
>>>>>       # Use SSHFP (might work on some up-to-date networks) to look up host keys
>>>>>       VerifyHostKeyDNS yes
>>>>> 
>>>>> -        # send keep-alive messages to connected server to avoid broken connections
>>>>> +        # Send SSH-based keep alive messages to connected server to avoid broken connections
>>>>>       ServerAliveInterval 10
>>>>> -        ServerAliveCountMax 6
>>>>> +
>>>>> +	# Disable TCP keep alive messages since they can be spoofed and we have SSH-based
>>>>> +	# keep alive messages enabled; there is no need to do things twice here
>>>>> +	TCPKeepAlive no
>>>>> 
>>>>>       # Ensure only allowed authentication methods are used
>>>>>       PreferredAuthentications publickey,keyboard-interactive,password
>>>>> diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
>>>>> index bea5cee53..a9eb5ff14 100644
>>>>> --- a/config/ssh/sshd_config
>>>>> +++ b/config/ssh/sshd_config
>>>>> @@ -47,11 +47,12 @@ AllowTcpForwarding no
>>>>> AllowAgentForwarding no
>>>>> PermitOpen none
>>>>> 
>>>>> -# Detect broken sessions by sending keep-alive messages to clients via SSH connection
>>>>> +# Send SSH-based keep alive messages every 10 seconds
>>>>> ClientAliveInterval 10
>>>>> 
>>>>> -# Close unresponsive SSH sessions which fail to answer keep-alive
>>>>> -ClientAliveCountMax 6
>>>>> +# Since TCP keep alive messages can be spoofed and we have the SSH-based already,
>>>>> +# there is no need for this to be enabled as well
>>>>> +TCPKeepAlive no
>>>>> 
>>>>> # Add support for SFTP
>>>>> Subsystem	sftp	/usr/lib/openssh/sftp-server
>>>>> -- 
>>>>> 2.26.2
>>>> 
>> 

Re: [PATCH] SSH: do not send spoofable TCP keep alive messages

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 5290 bytes --]

15 minutes

> On 10 Apr 2021, at 13:57, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello Michael,
> 
> thanks for your reply.
> 
> Which timeout value would you suggest then?
> 
> Thanks, and best regards,
> Peter Müller
> 
>> Hi,
>> 
>>> On 2 Apr 2021, at 20:27, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>> 
>>> Hello Michael,
>>> 
>>> thank you for your reply.
>>> 
>>> Context-based, I guess you meant "something more useful", didn't you? :-)
>> 
>> Seems so. I struggle a lot with auto-correct.
>> 
>>> Well, if you like, we can leave 60 seconds here, but I would not go for a much
>>> longer timeout. If a network issue takes longer than a minute, requiring a re-login
>>> looks reasonable to me (it does for 30 seconds also, but hey ;-) ).
>> 
>> No, it kills whatever I am running and a 60 second break happens very quickly with a DSL reconnect or rebooting an access point somewhere. Why is that supposed to break the SSH session, too?
>> 
>>> 
>>> Thanks, and best regards,
>>> Peter Müller
>>> 
>>> 
>>>> Hello,
>>>> 
>>>>> On 1 Feb 2021, at 18:06, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>>> 
>>>>> By default, both SSH server and client rely on TCP-based keep alive
>>>>> messages to detect broken sessions, which can be spoofed rather easily
>>>>> in order to keep a broken session opened (and vice versa).
>>>>> 
>>>>> Since we rely on SSH-based keep alive messages, which are not vulnerable
>>>>> to this kind of tampering, there is no need to double-check connections
>>>>> via TCP keep alive as well.
>>>>> 
>>>>> This patch thereof disables using TCP keep alive for both SSH client and
>>>>> server scenario. Further, {Client,Server}AliveCountMax default to 3,
>>>>> which is sufficient (3 * 10 sec. = broken SSH connections die after 30
>>>>> seconds), so we can omit that option. 60 seconds won't have any
>>>>> advantage here.
>>>> 
>>>> Is there any considerable downside of increasing this to something more useless?
>>>> 
>>>> I constantly run into broken SSH sessions because of smaller network hiccups (WiFi, VPNs, my crappy ISP, etc.). It would be useful to hold the connection for a little bit longer so that I can spend more time on fixing stuff instead of logging back in.
>>>> 
>>>> -Michael
>>>> 
>>>>> 
>>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>>> ---
>>>>> config/ssh/ssh_config  | 11 +++++++----
>>>>> config/ssh/sshd_config |  7 ++++---
>>>>> 2 files changed, 11 insertions(+), 7 deletions(-)
>>>>> 
>>>>> diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
>>>>> index 2e2ee60c3..ab0967086 100644
>>>>> --- a/config/ssh/ssh_config
>>>>> +++ b/config/ssh/ssh_config
>>>>> @@ -5,7 +5,7 @@
>>>>> 
>>>>> # Set some basic hardening options for all connections
>>>>> Host *
>>>>> -        # Disable Roaming as it is known to be vulnerable
>>>>> +        # Disable undocumented roaming feature as it is known to be vulnerable
>>>>>      UseRoaming no
>>>>> 
>>>>>      # Only use secure crypto algorithms
>>>>> @@ -13,15 +13,18 @@ Host *
>>>>>      Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
>>>>>      MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com
>>>>> 
>>>>> -        # Always visualise server host keys (but helps to identify key based MITM attacks)
>>>>> +        # Always visualise server host keys (helps to identify key based MITM attacks)
>>>>>      VisualHostKey yes
>>>>> 
>>>>>      # Use SSHFP (might work on some up-to-date networks) to look up host keys
>>>>>      VerifyHostKeyDNS yes
>>>>> 
>>>>> -        # send keep-alive messages to connected server to avoid broken connections
>>>>> +        # Send SSH-based keep alive messages to connected server to avoid broken connections
>>>>>      ServerAliveInterval 10
>>>>> -        ServerAliveCountMax 6
>>>>> +
>>>>> +	# Disable TCP keep alive messages since they can be spoofed and we have SSH-based
>>>>> +	# keep alive messages enabled; there is no need to do things twice here
>>>>> +	TCPKeepAlive no
>>>>> 
>>>>>      # Ensure only allowed authentication methods are used
>>>>>      PreferredAuthentications publickey,keyboard-interactive,password
>>>>> diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
>>>>> index bea5cee53..a9eb5ff14 100644
>>>>> --- a/config/ssh/sshd_config
>>>>> +++ b/config/ssh/sshd_config
>>>>> @@ -47,11 +47,12 @@ AllowTcpForwarding no
>>>>> AllowAgentForwarding no
>>>>> PermitOpen none
>>>>> 
>>>>> -# Detect broken sessions by sending keep-alive messages to clients via SSH connection
>>>>> +# Send SSH-based keep alive messages every 10 seconds
>>>>> ClientAliveInterval 10
>>>>> 
>>>>> -# Close unresponsive SSH sessions which fail to answer keep-alive
>>>>> -ClientAliveCountMax 6
>>>>> +# Since TCP keep alive messages can be spoofed and we have the SSH-based already,
>>>>> +# there is no need for this to be enabled as well
>>>>> +TCPKeepAlive no
>>>>> 
>>>>> # Add support for SFTP
>>>>> Subsystem	sftp	/usr/lib/openssh/sftp-server
>>>>> -- 
>>>>> 2.26.2
>>>> 
>>