Message ID | 09688ff4-d262-d136-0d1f-9102732a5e0d@ipfire.org |
---|---|
State | Accepted |
Commit | 7a981d94cb2c3e48ecaf07c506c8353a2c839d79 |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KhzNG1byHz3x1y for <patchwork@web04.haj.ipfire.org>; Mon, 18 Apr 2022 20:40:46 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4KhzNF5cz3z1Yh; Mon, 18 Apr 2022 20:40:45 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KhzNF50yLz2yDF; Mon, 18 Apr 2022 20:40:45 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KhzNF057mz2y0t for <development@lists.ipfire.org>; Mon, 18 Apr 2022 20:40:45 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4KhzND13qFzdh for <development@lists.ipfire.org>; Mon, 18 Apr 2022 20:40:43 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1650314444; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0T/g/8KqCx0vGfnrp8Xv9bWCyzArk1HgmAVORkGEol4=; b=Q1mC4C6IlUGo/5AxG3CZGrwBFKyA+chaMVCFlSG3kMZKG5nN4VW9NXJaMcyJamqBfSHYjS eJPLkuLr/pVjhnAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1650314444; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0T/g/8KqCx0vGfnrp8Xv9bWCyzArk1HgmAVORkGEol4=; b=tNIgfMS8Xs4zGq3sCviKCAEnrrk8+yfoVPFTEVbjX+qjPF8V6oKp2nNw2O9dGdYLpOKJ7l 5BbHGOMlfMRmBKrJBd5zHQ7erR22Z+rkpLKpHhVVgYUx9/V8lz3H1J6EuFq6jVQrHhVdpv iWDZwYM/aC2yC9x/YhYJpTFp0pTa4lSqlEW3x01eZyLGlqaKjvdMRyLFE/QWR+8vJi2U19 QhnIwdNxrYC6Ule1JF+0n1doupl5wqgXX/vSny5ry3TcusfSHdNoD6UXhSRpfnDBXTYDfa uIoyRu3JJ9DFtcOJQgslH9Jg12E8KEonroC5i5Inapor/VQzwEDY0b7SEPjkZQ== Message-ID: <09688ff4-d262-d136-0d1f-9102732a5e0d@ipfire.org> Date: Mon, 18 Apr 2022 20:40:41 +0000 MIME-Version: 1.0 Subject: [PATCH 3/3] SSH: do not send spoofable TCP keep alive messages Content-Language: en-US To: development@lists.ipfire.org References: <2bd37d93-0a56-8a49-46a8-4e31afc6d582@ipfire.org> <a0fdac73-2eea-f2b2-3756-2ce83c80481c@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> In-Reply-To: <a0fdac73-2eea-f2b2-3756-2ce83c80481c@ipfire.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
[1/3] OpenSSH: Update to 9.0p1
|
|
Commit Message
Peter Müller
April 18, 2022, 8:40 p.m. UTC
By default, both SSH server and client rely on TCP-based keep alive
messages to detect broken sessions, which can be spoofed rather easily
in order to keep a broken session opened (and vice versa).
Since we rely on SSH-based keep alive messages, which are not vulnerable
to this kind of tampering, there is no need to double-check connections
via TCP keep alive as well.
This patch thereof disables using TCP keep alive for both SSH client and
server scenario. For usability reasons, a timeout of 5 minutes (10
seconds * 30 keep alive messages = 300 seconds) will be used for both
client and server configuration, as 60 seconds were found to be too
short for unstable connectivity scenarios.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/ssh/ssh_config | 12 ++++++++----
config/ssh/sshd_config | 8 +++++---
2 files changed, 13 insertions(+), 7 deletions(-)
Comments
Hello, Thanks for this. I would personally like a longer timeout than 60 seconds. If a DSL modem loses sync, or DFS kicks in and the WiFi has to change channels, 60 seconds is not a long time. There cannot be any security reason for keeping it that low, so I would like to ask if there is any other reason that I missed. -Michael > On 18 Apr 2022, at 21:40, Peter Müller <peter.mueller@ipfire.org> wrote: > > By default, both SSH server and client rely on TCP-based keep alive > messages to detect broken sessions, which can be spoofed rather easily > in order to keep a broken session opened (and vice versa). > > Since we rely on SSH-based keep alive messages, which are not vulnerable > to this kind of tampering, there is no need to double-check connections > via TCP keep alive as well. > > This patch thereof disables using TCP keep alive for both SSH client and > server scenario. For usability reasons, a timeout of 5 minutes (10 > seconds * 30 keep alive messages = 300 seconds) will be used for both > client and server configuration, as 60 seconds were found to be too > short for unstable connectivity scenarios. > > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > config/ssh/ssh_config | 12 ++++++++---- > config/ssh/sshd_config | 8 +++++--- > 2 files changed, 13 insertions(+), 7 deletions(-) > > diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config > index ee0954d5c..85c069dda 100644 > --- a/config/ssh/ssh_config > +++ b/config/ssh/ssh_config > @@ -5,7 +5,7 @@ > > # Set some basic hardening options for all connections > Host * > - # Disable Roaming as it is known to be vulnerable > + # Disable undocumented roaming feature as it is known to be vulnerable > UseRoaming no > > # Only use secure crypto algorithms > @@ -13,15 +13,19 @@ Host * > Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr > MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com > > - # Always visualise server host keys (but helps to identify key based MITM attacks) > + # Always visualise server host keys (helps to identify key based MITM attacks) > VisualHostKey yes > > # Use SSHFP (might work on some up-to-date networks) to look up host keys > VerifyHostKeyDNS yes > > - # send keep-alive messages to connected server to avoid broken connections > + # Send SSH-based keep alive messages to connected server to avoid broken connections > ServerAliveInterval 10 > - ServerAliveCountMax 6 > + ServerAliveCountMax 30 > + > + # Disable TCP keep alive messages since they can be spoofed and we have SSH-based > + # keep alive messages enabled; there is no need to do things twice here > + TCPKeepAlive no > > # Ensure only allowed authentication methods are used > PreferredAuthentications publickey,keyboard-interactive,password > diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config > index 456556540..76c9b3eb1 100644 > --- a/config/ssh/sshd_config > +++ b/config/ssh/sshd_config > @@ -46,11 +46,13 @@ AllowTcpForwarding no > AllowAgentForwarding no > PermitOpen none > > -# Detect broken sessions by sending keep-alive messages to clients via SSH connection > +# Send SSH-based keep alive messages to connected clients to avoid broken connections > ClientAliveInterval 10 > +ClientAliveCountMax 30 > > -# Close unresponsive SSH sessions which fail to answer keep-alive > -ClientAliveCountMax 6 > +# Since TCP keep alive messages can be spoofed and we have the SSH-based already, > +# there is no need for this to be enabled as well > +TCPKeepAlive no > > # Add support for SFTP > Subsystem sftp /usr/lib/openssh/sftp-server > -- > 2.34.1
Hello Michael, thanks for your reply. > Hello, > > Thanks for this. > > I would personally like a longer timeout than 60 seconds. > > If a DSL modem loses sync, or DFS kicks in and the WiFi has to change channels, 60 seconds is not a long time. There cannot be any security reason for keeping it that low, so I would like to ask if there is any other reason that I missed. Um, actually, this patch features a timeout of five minutes (10 seconds * 30 keep-alive's = 300 seconds = 5 minutes) before a dangling SSH connection is being terminated. Or did I misunderstand you? Thanks, and best regards, Peter Müller > > -Michael > >> On 18 Apr 2022, at 21:40, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> By default, both SSH server and client rely on TCP-based keep alive >> messages to detect broken sessions, which can be spoofed rather easily >> in order to keep a broken session opened (and vice versa). >> >> Since we rely on SSH-based keep alive messages, which are not vulnerable >> to this kind of tampering, there is no need to double-check connections >> via TCP keep alive as well. >> >> This patch thereof disables using TCP keep alive for both SSH client and >> server scenario. For usability reasons, a timeout of 5 minutes (10 >> seconds * 30 keep alive messages = 300 seconds) will be used for both >> client and server configuration, as 60 seconds were found to be too >> short for unstable connectivity scenarios. This was precisely your concern about the first attempt of this patch, which is why I raised this to 300 seconds instead of 60. >> >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> config/ssh/ssh_config | 12 ++++++++---- >> config/ssh/sshd_config | 8 +++++--- >> 2 files changed, 13 insertions(+), 7 deletions(-) >> >> diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config >> index ee0954d5c..85c069dda 100644 >> --- a/config/ssh/ssh_config >> +++ b/config/ssh/ssh_config >> @@ -5,7 +5,7 @@ >> >> # Set some basic hardening options for all connections >> Host * >> - # Disable Roaming as it is known to be vulnerable >> + # Disable undocumented roaming feature as it is known to be vulnerable >> UseRoaming no >> >> # Only use secure crypto algorithms >> @@ -13,15 +13,19 @@ Host * >> Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr >> MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com >> >> - # Always visualise server host keys (but helps to identify key based MITM attacks) >> + # Always visualise server host keys (helps to identify key based MITM attacks) >> VisualHostKey yes >> >> # Use SSHFP (might work on some up-to-date networks) to look up host keys >> VerifyHostKeyDNS yes >> >> - # send keep-alive messages to connected server to avoid broken connections >> + # Send SSH-based keep alive messages to connected server to avoid broken connections >> ServerAliveInterval 10 >> - ServerAliveCountMax 6 >> + ServerAliveCountMax 30 >> + >> + # Disable TCP keep alive messages since they can be spoofed and we have SSH-based >> + # keep alive messages enabled; there is no need to do things twice here >> + TCPKeepAlive no >> >> # Ensure only allowed authentication methods are used >> PreferredAuthentications publickey,keyboard-interactive,password >> diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config >> index 456556540..76c9b3eb1 100644 >> --- a/config/ssh/sshd_config >> +++ b/config/ssh/sshd_config >> @@ -46,11 +46,13 @@ AllowTcpForwarding no >> AllowAgentForwarding no >> PermitOpen none >> >> -# Detect broken sessions by sending keep-alive messages to clients via SSH connection >> +# Send SSH-based keep alive messages to connected clients to avoid broken connections >> ClientAliveInterval 10 >> +ClientAliveCountMax 30 >> >> -# Close unresponsive SSH sessions which fail to answer keep-alive >> -ClientAliveCountMax 6 >> +# Since TCP keep alive messages can be spoofed and we have the SSH-based already, >> +# there is no need for this to be enabled as well >> +TCPKeepAlive no >> >> # Add support for SFTP >> Subsystem sftp /usr/lib/openssh/sftp-server >> -- >> 2.34.1 >
Oh, maybe I misread your first email. Sorry. 5 minutes > 60s. Cool. > On 19 Apr 2022, at 11:40, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Michael, > > thanks for your reply. > >> Hello, >> >> Thanks for this. >> >> I would personally like a longer timeout than 60 seconds. >> >> If a DSL modem loses sync, or DFS kicks in and the WiFi has to change channels, 60 seconds is not a long time. There cannot be any security reason for keeping it that low, so I would like to ask if there is any other reason that I missed. > > Um, actually, this patch features a timeout of five minutes (10 seconds * 30 keep-alive's = 300 > seconds = 5 minutes) before a dangling SSH connection is being terminated. Or did I misunderstand > you? > > Thanks, and best regards, > Peter Müller > >> >> -Michael >> >>> On 18 Apr 2022, at 21:40, Peter Müller <peter.mueller@ipfire.org> wrote: >>> >>> By default, both SSH server and client rely on TCP-based keep alive >>> messages to detect broken sessions, which can be spoofed rather easily >>> in order to keep a broken session opened (and vice versa). >>> >>> Since we rely on SSH-based keep alive messages, which are not vulnerable >>> to this kind of tampering, there is no need to double-check connections >>> via TCP keep alive as well. >>> >>> This patch thereof disables using TCP keep alive for both SSH client and >>> server scenario. For usability reasons, a timeout of 5 minutes (10 >>> seconds * 30 keep alive messages = 300 seconds) will be used for both >>> client and server configuration, as 60 seconds were found to be too >>> short for unstable connectivity scenarios. > > This was precisely your concern about the first attempt of this patch, which > is why I raised this to 300 seconds instead of 60. > >>> >>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>> --- >>> config/ssh/ssh_config | 12 ++++++++---- >>> config/ssh/sshd_config | 8 +++++--- >>> 2 files changed, 13 insertions(+), 7 deletions(-) >>> >>> diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config >>> index ee0954d5c..85c069dda 100644 >>> --- a/config/ssh/ssh_config >>> +++ b/config/ssh/ssh_config >>> @@ -5,7 +5,7 @@ >>> >>> # Set some basic hardening options for all connections >>> Host * >>> - # Disable Roaming as it is known to be vulnerable >>> + # Disable undocumented roaming feature as it is known to be vulnerable >>> UseRoaming no >>> >>> # Only use secure crypto algorithms >>> @@ -13,15 +13,19 @@ Host * >>> Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr >>> MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com >>> >>> - # Always visualise server host keys (but helps to identify key based MITM attacks) >>> + # Always visualise server host keys (helps to identify key based MITM attacks) >>> VisualHostKey yes >>> >>> # Use SSHFP (might work on some up-to-date networks) to look up host keys >>> VerifyHostKeyDNS yes >>> >>> - # send keep-alive messages to connected server to avoid broken connections >>> + # Send SSH-based keep alive messages to connected server to avoid broken connections >>> ServerAliveInterval 10 >>> - ServerAliveCountMax 6 >>> + ServerAliveCountMax 30 >>> + >>> + # Disable TCP keep alive messages since they can be spoofed and we have SSH-based >>> + # keep alive messages enabled; there is no need to do things twice here >>> + TCPKeepAlive no >>> >>> # Ensure only allowed authentication methods are used >>> PreferredAuthentications publickey,keyboard-interactive,password >>> diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config >>> index 456556540..76c9b3eb1 100644 >>> --- a/config/ssh/sshd_config >>> +++ b/config/ssh/sshd_config >>> @@ -46,11 +46,13 @@ AllowTcpForwarding no >>> AllowAgentForwarding no >>> PermitOpen none >>> >>> -# Detect broken sessions by sending keep-alive messages to clients via SSH connection >>> +# Send SSH-based keep alive messages to connected clients to avoid broken connections >>> ClientAliveInterval 10 >>> +ClientAliveCountMax 30 >>> >>> -# Close unresponsive SSH sessions which fail to answer keep-alive >>> -ClientAliveCountMax 6 >>> +# Since TCP keep alive messages can be spoofed and we have the SSH-based already, >>> +# there is no need for this to be enabled as well >>> +TCPKeepAlive no >>> >>> # Add support for SFTP >>> Subsystem sftp /usr/lib/openssh/sftp-server >>> -- >>> 2.34.1
diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index ee0954d5c..85c069dda 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -5,7 +5,7 @@ # Set some basic hardening options for all connections Host * - # Disable Roaming as it is known to be vulnerable + # Disable undocumented roaming feature as it is known to be vulnerable UseRoaming no # Only use secure crypto algorithms @@ -13,15 +13,19 @@ Host * Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com - # Always visualise server host keys (but helps to identify key based MITM attacks) + # Always visualise server host keys (helps to identify key based MITM attacks) VisualHostKey yes # Use SSHFP (might work on some up-to-date networks) to look up host keys VerifyHostKeyDNS yes - # send keep-alive messages to connected server to avoid broken connections + # Send SSH-based keep alive messages to connected server to avoid broken connections ServerAliveInterval 10 - ServerAliveCountMax 6 + ServerAliveCountMax 30 + + # Disable TCP keep alive messages since they can be spoofed and we have SSH-based + # keep alive messages enabled; there is no need to do things twice here + TCPKeepAlive no # Ensure only allowed authentication methods are used PreferredAuthentications publickey,keyboard-interactive,password diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config index 456556540..76c9b3eb1 100644 --- a/config/ssh/sshd_config +++ b/config/ssh/sshd_config @@ -46,11 +46,13 @@ AllowTcpForwarding no AllowAgentForwarding no PermitOpen none -# Detect broken sessions by sending keep-alive messages to clients via SSH connection +# Send SSH-based keep alive messages to connected clients to avoid broken connections ClientAliveInterval 10 +ClientAliveCountMax 30 -# Close unresponsive SSH sessions which fail to answer keep-alive -ClientAliveCountMax 6 +# Since TCP keep alive messages can be spoofed and we have the SSH-based already, +# there is no need for this to be enabled as well +TCPKeepAlive no # Add support for SFTP Subsystem sftp /usr/lib/openssh/sftp-server