Ubuntu
openssh package

sshd: ClientAliveCountMax=0 not honoured as expected

Bug #1978816 reported by James Dingwall
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

$ apt-cache policy openssh-server
openssh-server:
  Installed: 1:8.2p1-4ubuntu0.4
  Candidate: 1:8.2p1-4ubuntu0.4

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal

After upgrading from 'bionic' the openssh ClientAlive* parameters are not functioning as expected in sshd:

/etc/ssh/sshd_config:ClientAliveInterval 900
/etc/ssh/sshd_config:ClientAliveCountMax 0

The expected behaviour is that after 900s with no traffic in the session the server terminates the connection. There appears to be a custom patch in the package which changes this:

    - sshd(8): Make ClientAliveCountMax=0 have sensible semantics: it will
      now disable connection killing entirely rather than the current
      behaviour of instantly killing the connection after the first liveness
      test regardless of success.

It is unclear why this is a beneficial change in the default behaviour of sshd. If the user doesn't want the session disconnected then they should set ClientAliveInterval=0. It also defeats our requirement to have idle ssh sessions terminated when nothing has been done for 15 minutes.

It is tempting to mark this as a security issue due to unexpected change in behaviour and the fact it would leave idle sessions open whereas a vanilla ssh package would close them.

Revision history for this message
Paride Legovini (paride) wrote :

Hello James and thanks for your bug report. The "Make ClientAliveCountMax=0 have sensible semantics" change you refer to is actually an upstream change, see the OpenSSH bugfixes here:

  https://www.openssh.com/releasenotes.html

the upstream bug being:

  https://bugzilla.mindrot.org/show_bug.cgi?id=2627

which has a comment similar to yours here.

Even if the new behavior may be sometimes inconvenient I don't think we're going to make Ubuntu deviate from what upstream does (for reasons you clearly understand). As an Ubuntu bug I think this is Invalid, but I'm marking it as Incomplete for now. Please comment back if there's anything I missed or misunderstood, or mark this report as Invalid if you agree with my findings. Thanks!

Changed in openssh (Ubuntu):
status: New → Incomplete
Revision history for this message
James Dingwall (a-james-launchpad) wrote :

Hi Paride,

I read the wrong changelog file in the source package and mistakenly thought it was debian/ChangeLog. I agree that the Ubuntu shouldn't deviate from the upstream in this case and accept that 'Incomplete' is probably the best conclusion for this report.

Thanks,
James

Paride Legovini (paride)
Changed in openssh (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.