[Bug 1978816] [NEW] sshd: ClientAliveCountMax=0 not honoured as expected

James Dingwall 1978816 at bugs.launchpad.net
Wed Jun 15 10:28:31 UTC 2022 

Public bug reported:

$ apt-cache policy openssh-server
openssh-server:
  Installed: 1:8.2p1-4ubuntu0.4
  Candidate: 1:8.2p1-4ubuntu0.4

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.4 LTS
Release:        20.04
Codename:       focal

After upgrading from 'bionic' the openssh ClientAlive* parameters are
not functioning as expected in sshd:

/etc/ssh/sshd_config:ClientAliveInterval 900
/etc/ssh/sshd_config:ClientAliveCountMax 0

The expected behaviour is that after 900s with no traffic in the session
the server terminates the connection.  There appears to be a custom
patch in the package which changes this:

    - sshd(8): Make ClientAliveCountMax=0 have sensible semantics: it will
      now disable connection killing entirely rather than the current
      behaviour of instantly killing the connection after the first liveness
      test regardless of success.

It is unclear why this is a beneficial change in the default behaviour
of sshd.  If the user doesn't want the session disconnected then they
should set ClientAliveInterval=0.  It also defeats our requirement to
have idle ssh sessions terminated when nothing has been done for 15
minutes.

It is tempting to mark this as a security issue due to unexpected change
in behaviour and the fact it would leave idle sessions open whereas a
vanilla ssh package would close them.

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1978816

Title:
  sshd: ClientAliveCountMax=0 not honoured as expected

Status in openssh package in Ubuntu:
  New

Bug description:
  $ apt-cache policy openssh-server
  openssh-server:
    Installed: 1:8.2p1-4ubuntu0.4
    Candidate: 1:8.2p1-4ubuntu0.4

  $ lsb_release -a
  No LSB modules are available.
  Distributor ID: Ubuntu
  Description:    Ubuntu 20.04.4 LTS
  Release:        20.04
  Codename:       focal

  After upgrading from 'bionic' the openssh ClientAlive* parameters are
  not functioning as expected in sshd:

  /etc/ssh/sshd_config:ClientAliveInterval 900
  /etc/ssh/sshd_config:ClientAliveCountMax 0

  The expected behaviour is that after 900s with no traffic in the
  session the server terminates the connection.  There appears to be a
  custom patch in the package which changes this:

      - sshd(8): Make ClientAliveCountMax=0 have sensible semantics: it will
        now disable connection killing entirely rather than the current
        behaviour of instantly killing the connection after the first liveness
        test regardless of success.

  It is unclear why this is a beneficial change in the default behaviour
  of sshd.  If the user doesn't want the session disconnected then they
  should set ClientAliveInterval=0.  It also defeats our requirement to
  have idle ssh sessions terminated when nothing has been done for 15
  minutes.

  It is tempting to mark this as a security issue due to unexpected
  change in behaviour and the fact it would leave idle sessions open
  whereas a vanilla ssh package would close them.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1978816/+subscriptions

More information about the foundations-bugs mailing list