Hello,
On 1 Feb 2021, at 18:06, Peter Müller peter.mueller@ipfire.org wrote:
By default, both SSH server and client rely on TCP-based keep alive messages to detect broken sessions, which can be spoofed rather easily in order to keep a broken session opened (and vice versa).
Since we rely on SSH-based keep alive messages, which are not vulnerable to this kind of tampering, there is no need to double-check connections via TCP keep alive as well.
This patch thereof disables using TCP keep alive for both SSH client and server scenario. Further, {Client,Server}AliveCountMax default to 3, which is sufficient (3 * 10 sec. = broken SSH connections die after 30 seconds), so we can omit that option. 60 seconds won't have any advantage here.
Is there any considerable downside of increasing this to something more useless?
I constantly run into broken SSH sessions because of smaller network hiccups (WiFi, VPNs, my crappy ISP, etc.). It would be useful to hold the connection for a little bit longer so that I can spend more time on fixing stuff instead of logging back in.
-Michael
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/ssh/ssh_config | 11 +++++++---- config/ssh/sshd_config | 7 ++++--- 2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index 2e2ee60c3..ab0967086 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -5,7 +5,7 @@
# Set some basic hardening options for all connections Host *
# Disable Roaming as it is known to be vulnerable
# Disable undocumented roaming feature as it is known to be vulnerable UseRoaming no # Only use secure crypto algorithms@@ -13,15 +13,18 @@ Host * Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
# Always visualise server host keys (but helps to identify key based MITM attacks)
# Always visualise server host keys (helps to identify key based MITM attacks) VisualHostKey yes # Use SSHFP (might work on some up-to-date networks) to look up host keys VerifyHostKeyDNS yes
# send keep-alive messages to connected server to avoid broken connections
# Send SSH-based keep alive messages to connected server to avoid broken connections ServerAliveInterval 10
ServerAliveCountMax 6
# Disable TCP keep alive messages since they can be spoofed and we have SSH-based
# keep alive messages enabled; there is no need to do things twice here
TCPKeepAlive no
# Ensure only allowed authentication methods are used PreferredAuthentications publickey,keyboard-interactive,password
diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config index bea5cee53..a9eb5ff14 100644 --- a/config/ssh/sshd_config +++ b/config/ssh/sshd_config @@ -47,11 +47,12 @@ AllowTcpForwarding no AllowAgentForwarding no PermitOpen none
-# Detect broken sessions by sending keep-alive messages to clients via SSH connection +# Send SSH-based keep alive messages every 10 seconds ClientAliveInterval 10
-# Close unresponsive SSH sessions which fail to answer keep-alive -ClientAliveCountMax 6 +# Since TCP keep alive messages can be spoofed and we have the SSH-based already, +# there is no need for this to be enabled as well +TCPKeepAlive no
# Add support for SFTP Subsystem sftp /usr/lib/openssh/sftp-server -- 2.26.2