← Back to branch summary

~vcs-imports/ipfire/ipfire-2.x

  • Committer: Peter Müller
  • Date: 2022-04-23 14:27:56 UTC
  • Revision ID: git-v1:7a981d94cb2c3e48ecaf07c506c8353a2c839d79
SSH: do not send spoofable TCP keep alive messages

By default, both SSH server and client rely on TCP-based keep alive
messages to detect broken sessions, which can be spoofed rather easily
in order to keep a broken session opened (and vice versa).

Since we rely on SSH-based keep alive messages, which are not vulnerable
to this kind of tampering, there is no need to double-check connections
via TCP keep alive as well.

This patch thereof disables using TCP keep alive for both SSH client and
server scenario. For usability reasons, a timeout of 5 minutes (10
seconds * 30 keep alive messages = 300 seconds) will be used for both
client and server configuration, as 60 seconds were found to be too
short for unstable connectivity scenarios.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Filename Latest Rev Last Changed Committer Comment Size
..
collectd.conf 9693 2 years ago Peter Müller collectd.conf: Change chain from HOSTILE to HOSTIL 1.6 KB Diff Download File
collectd.custom 2399 14 years ago Christian Schmidt Once again collectd config files. 61 bytes Diff Download File
collectd.precache 2399 14 years ago Christian Schmidt Once again collectd config files. 1.3 KB Diff Download File
collectd.thermal 1790.1.19 15 years ago Arne Fitzenreiter Fix collectd thermal-zone disabling 276 bytes Diff Download File
collectd.vpn 4405.89.5 10 years ago Alexander Marx vpn-statistic: Move logfiles to /var/run because o 84 bytes Diff Download File