- Committer: Peter Müller
- Date: 2022-04-23 14:27:56 UTC
- Revision ID: git-v1:7a981d94cb2c3e48ecaf07c506c8353a2c839d79
SSH: do not send spoofable TCP keep alive messages
By default, both SSH server and client rely on TCP-based keep alive
messages to detect broken sessions, which can be spoofed rather easily
in order to keep a broken session opened (and vice versa).
Since we rely on SSH-based keep alive messages, which are not vulnerable
to this kind of tampering, there is no need to double-check connections
via TCP keep alive as well.
This patch thereof disables using TCP keep alive for both SSH client and
server scenario. For usability reasons, a timeout of 5 minutes (10
seconds * 30 keep alive messages = 300 seconds) will be used for both
client and server configuration, as 60 seconds were found to be too
short for unstable connectivity scenarios.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
By default, both SSH server and client rely on TCP-based keep alive
messages to detect broken sessions, which can be spoofed rather easily
in order to keep a broken session opened (and vice versa).
Since we rely on SSH-based keep alive messages, which are not vulnerable
to this kind of tampering, there is no need to double-check connections
via TCP keep alive as well.
This patch thereof disables using TCP keep alive for both SSH client and
server scenario. For usability reasons, a timeout of 5 minutes (10
seconds * 30 keep alive messages = 300 seconds) will be used for both
client and server configuration, as 60 seconds were found to be too
short for unstable connectivity scenarios.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
| Filename | Latest Rev | Last Changed | Committer | Comment | Size | ||
|---|---|---|---|---|---|---|---|
 ..
|
|||||||
checkdeaddl |
1583 | 16 years ago | maniacikarus | Updated updxlrator to latest stable | 5.4 KB |
|
|
|
checkup |
1583 | 16 years ago | maniacikarus | Updated updxlrator to latest stable | 4.4 KB |
|
|
|
convert |
1357.1.17 | 16 years ago | Maniacikarus | Upgrade updbooster to xlrator 2.0 added to core | 3 KB |
|
|
|
download |
5964 | 7 years ago | Michael Tremer | Fix bug 11567 updxlrator: don't prematurely releas | 6.2 KB |
|
|
|
lscache |
1357.1.17 | 16 years ago | Maniacikarus | Upgrade updbooster to xlrator 2.0 added to core | 6.2 KB |
|
|
|
updxlrator |
6673 | 6 years ago | Michael Tremer | update accelerator: Do not attempt to cache IPFire | 12.7 KB |
|
|
|
updxlrator-lib.pl |
1583 | 16 years ago | maniacikarus | Updated updxlrator to latest stable | 3.1 KB |
|
|