[Cialug] SSH annoyance
Zachary Kotlarek
zach at kotlarek.com
Tue Mar 3 16:03:34 CST 2009
On Mar 3, 2009, at 2:44 PM, David Champion wrote:
> Note: there is also a TCPKeepAlive option, but it's not recommended
> that you use that because it can allow your connection to be
> spoofed, instead use the ServerAliveInterval and ServerAliveCountMax
> settings as Dan suggests.
TCP keepalives can be spoofed, at least if you're in a position to do
TCP spoofing in general, but in most cases that is does not pose any
significant risk. The only spoofing that can be done is to watch for a
connection that goes dead but does not close and then send fake
keepalives to keep the TCP connection open. As far as I can tell
there's no practical increased risk if you do not rely on knowing
exactly when SSH sessions, and you get the benefit of reaping half-
dead connections (not terribly important for the client, but useful
server-side). Also note that TCPKeepAlives is on by default, so you
must explicitly disable it if you don't want to use them.
As other have noted you still probably want ServerAlive/ClientAlive if
your goal is to generate activity on a frequent basis or know quickly
when the remote host becomes unreachable. Spoofing issues aside, TCP
keepalives just have too long a timeout (typically 2 hours, and
configurable only for the whole TCP stack) to be useful for such
purposes.
Zach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
Url : http://cialug.org/pipermail/cialug/attachments/20090303/1c1fb6a3/smime.bin
More information about the Cialug
mailing list