By default, both SSH server and client rely on TCP-based keep alive messages to detect broken sessions, which can be spoofed rather easily in order to keep a broken session opened (and vice versa).
Since we rely on SSH-based keep alive messages, which are not vulnerable to this kind of tampering, there is no need to double-check connections via TCP keep alive as well.
This patch thereof disables using TCP keep alive for both SSH client and server scenario. Further, {Client,Server}AliveCountMax default to 3, which is sufficient (3 * 10 sec. = broken SSH connections die after 30 seconds), so we can omit that option. 60 seconds won't have any advantage here.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/ssh/ssh_config | 11 +++++++---- config/ssh/sshd_config | 7 ++++--- 2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index 2e2ee60c3..ab0967086 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -5,7 +5,7 @@
# Set some basic hardening options for all connections Host * - # Disable Roaming as it is known to be vulnerable + # Disable undocumented roaming feature as it is known to be vulnerable UseRoaming no
# Only use secure crypto algorithms @@ -13,15 +13,18 @@ Host * Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
- # Always visualise server host keys (but helps to identify key based MITM attacks) + # Always visualise server host keys (helps to identify key based MITM attacks) VisualHostKey yes
# Use SSHFP (might work on some up-to-date networks) to look up host keys VerifyHostKeyDNS yes
- # send keep-alive messages to connected server to avoid broken connections + # Send SSH-based keep alive messages to connected server to avoid broken connections ServerAliveInterval 10 - ServerAliveCountMax 6 + + # Disable TCP keep alive messages since they can be spoofed and we have SSH-based + # keep alive messages enabled; there is no need to do things twice here + TCPKeepAlive no
# Ensure only allowed authentication methods are used PreferredAuthentications publickey,keyboard-interactive,password diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config index bea5cee53..a9eb5ff14 100644 --- a/config/ssh/sshd_config +++ b/config/ssh/sshd_config @@ -47,11 +47,12 @@ AllowTcpForwarding no AllowAgentForwarding no PermitOpen none
-# Detect broken sessions by sending keep-alive messages to clients via SSH connection +# Send SSH-based keep alive messages every 10 seconds ClientAliveInterval 10
-# Close unresponsive SSH sessions which fail to answer keep-alive -ClientAliveCountMax 6 +# Since TCP keep alive messages can be spoofed and we have the SSH-based already, +# there is no need for this to be enabled as well +TCPKeepAlive no
# Add support for SFTP Subsystem sftp /usr/lib/openssh/sftp-server