[Cialug] SSH annoyance

Zachary Kotlarek zach at kotlarek.com
Tue Mar 3 16:03:34 CST 2009


On Mar 3, 2009, at 2:44 PM, David Champion wrote:

> Note: there is also a TCPKeepAlive option, but it's not recommended  
> that you use that because it can allow your connection to be  
> spoofed, instead use the ServerAliveInterval and ServerAliveCountMax  
> settings as Dan suggests.


TCP keepalives can be spoofed, at least if you're in a position to do  
TCP spoofing in general, but in most cases that is does not pose any  
significant risk. The only spoofing that can be done is to watch for a  
connection that goes dead but does not close and then send fake  
keepalives to keep the TCP connection open. As far as I can tell  
there's no practical increased risk if you do not rely on knowing  
exactly when SSH sessions, and you get the benefit of reaping half- 
dead connections (not terribly important for the client, but useful  
server-side). Also note that TCPKeepAlives is on by default, so you  
must explicitly disable it if you don't want to use them.

As other have noted you still probably want ServerAlive/ClientAlive if  
your goal is to generate activity on a frequent basis or know quickly  
when the remote host becomes unreachable. Spoofing issues aside, TCP  
keepalives just have too long a timeout (typically 2 hours, and  
configurable only for the whole TCP stack) to be useful for such  
purposes.

	Zach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
Url : http://cialug.org/pipermail/cialug/attachments/20090303/1c1fb6a3/smime.bin


More information about the Cialug mailing list