sshd: ClientAliveCountMax=0 not honoured as expected
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
$ apt-cache policy openssh-server
openssh-server:
Installed: 1:8.2p1-4ubuntu0.4
Candidate: 1:8.2p1-4ubuntu0.4
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal
After upgrading from 'bionic' the openssh ClientAlive* parameters are not functioning as expected in sshd:
/etc/ssh/
/etc/ssh/
The expected behaviour is that after 900s with no traffic in the session the server terminates the connection. There appears to be a custom patch in the package which changes this:
- sshd(8): Make ClientAliveCoun
now disable connection killing entirely rather than the current
behaviour of instantly killing the connection after the first liveness
test regardless of success.
It is unclear why this is a beneficial change in the default behaviour of sshd. If the user doesn't want the session disconnected then they should set ClientAliveInte
It is tempting to mark this as a security issue due to unexpected change in behaviour and the fact it would leave idle sessions open whereas a vanilla ssh package would close them.
Changed in openssh (Ubuntu): | |
status: | Incomplete → Invalid |
Hello James and thanks for your bug report. The "Make ClientAliveCoun tMax=0 have sensible semantics" change you refer to is actually an upstream change, see the OpenSSH bugfixes here:
https:/ /www.openssh. com/releasenote s.html
the upstream bug being:
https:/ /bugzilla. mindrot. org/show_ bug.cgi? id=2627
which has a comment similar to yours here.
Even if the new behavior may be sometimes inconvenient I don't think we're going to make Ubuntu deviate from what upstream does (for reasons you clearly understand). As an Ubuntu bug I think this is Invalid, but I'm marking it as Incomplete for now. Please comment back if there's anything I missed or misunderstood, or mark this report as Invalid if you agree with my findings. Thanks!