By default, both SSH server and client rely on TCP-based keep alive messages to detect broken sessions, which can be spoofed rather easily in order to keep a broken session opened (and vice versa).
Since we rely on SSH-based keep alive messages, which are not vulnerable to this kind of tampering, there is no need to double-check connections via TCP keep alive as well.
This patch thereof disables using TCP keep alive for both SSH client and server scenario. For usability reasons, a timeout of 5 minutes (10 seconds * 30 keep alive messages = 300 seconds) will be used for both client and server configuration, as 60 seconds were found to be too short for unstable connectivity scenarios.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/ssh/ssh_config | 12 ++++++++---- config/ssh/sshd_config | 8 +++++--- 2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index ee0954d5c..85c069dda 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -5,7 +5,7 @@
# Set some basic hardening options for all connections Host * - # Disable Roaming as it is known to be vulnerable + # Disable undocumented roaming feature as it is known to be vulnerable UseRoaming no
# Only use secure crypto algorithms @@ -13,15 +13,19 @@ Host * Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
- # Always visualise server host keys (but helps to identify key based MITM attacks) + # Always visualise server host keys (helps to identify key based MITM attacks) VisualHostKey yes
# Use SSHFP (might work on some up-to-date networks) to look up host keys VerifyHostKeyDNS yes
- # send keep-alive messages to connected server to avoid broken connections + # Send SSH-based keep alive messages to connected server to avoid broken connections ServerAliveInterval 10 - ServerAliveCountMax 6 + ServerAliveCountMax 30 + + # Disable TCP keep alive messages since they can be spoofed and we have SSH-based + # keep alive messages enabled; there is no need to do things twice here + TCPKeepAlive no
# Ensure only allowed authentication methods are used PreferredAuthentications publickey,keyboard-interactive,password diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config index 456556540..76c9b3eb1 100644 --- a/config/ssh/sshd_config +++ b/config/ssh/sshd_config @@ -46,11 +46,13 @@ AllowTcpForwarding no AllowAgentForwarding no PermitOpen none
-# Detect broken sessions by sending keep-alive messages to clients via SSH connection +# Send SSH-based keep alive messages to connected clients to avoid broken connections ClientAliveInterval 10 +ClientAliveCountMax 30
-# Close unresponsive SSH sessions which fail to answer keep-alive -ClientAliveCountMax 6 +# Since TCP keep alive messages can be spoofed and we have the SSH-based already, +# there is no need for this to be enabled as well +TCPKeepAlive no
# Add support for SFTP Subsystem sftp /usr/lib/openssh/sftp-server