diff --git a/build_debian.sh b/build_debian.sh index 0b8493410f..3f39ec17e4 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -424,7 +424,7 @@ rm /files/etc/ssh/sshd_config/ClientAliveCountMax touch /files/etc/ssh/sshd_config/EmptyLineHack rename /files/etc/ssh/sshd_config/EmptyLineHack "" set /files/etc/ssh/sshd_config/ClientAliveInterval 900 -set /files/etc/ssh/sshd_config/ClientAliveCountMax 1 +set /files/etc/ssh/sshd_config/ClientAliveCountMax 0 ins #comment before /files/etc/ssh/sshd_config/ClientAliveInterval set /files/etc/ssh/sshd_config/#comment[following-sibling::*[1][self::ClientAliveInterval]] "Close inactive client sessions after 15 minutes" save diff --git a/rules/sonic-fips.mk b/rules/sonic-fips.mk index e5b6e4ad35..8303918e2e 100644 --- a/rules/sonic-fips.mk +++ b/rules/sonic-fips.mk @@ -1,6 +1,6 @@ # fips packages -FIPS_VERSION = 0.3 +FIPS_VERSION = 0.4 FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u3+fips FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u1+fips FIPS_PYTHON_MAIN_VERSION = 3.9 diff --git a/src/openssh/patch/0002-Revert-commit-69334996-make-sshd_config-ClientAliveC.patch b/src/openssh/patch/0002-Revert-commit-69334996-make-sshd_config-ClientAliveC.patch new file mode 100644 index 0000000000..3eb04bc4e0 --- /dev/null +++ b/src/openssh/patch/0002-Revert-commit-69334996-make-sshd_config-ClientAliveC.patch @@ -0,0 +1,48 @@ +From 2bc575c74aa811a60682e989d07675b8e7ac8a12 Mon Sep 17 00:00:00 2001 +From: Saikrishna Arcot +Date: Thu, 13 Oct 2022 13:45:17 -0700 +Subject: [PATCH] Revert commit 69334996: make + sshd_config:ClientAliveCountMax=0 disable the connection-killing behavior + +SONiC (and others) use this feature to kill connections when the session +is idle after some duration of time. OpenSSH 8.2 defined setting +ClientAliveCountMax=0, but by doing so, broke the current use case of +it. + +Signed-off-by: Saikrishna Arcot +--- + serverloop.c | 3 +-- + sshd_config.5 | 3 --- + 2 files changed, 1 insertion(+), 5 deletions(-) + +diff --git a/serverloop.c b/serverloop.c +index 48d936d..1b30498 100644 +--- a/serverloop.c ++++ b/serverloop.c +@@ -184,8 +184,7 @@ client_alive_check(struct ssh *ssh) + int r, channel_id; + + /* timeout, check to see how many we have had */ +- if (options.client_alive_count_max > 0 && +- ssh_packet_inc_alive_timeouts(ssh) > ++ if (ssh_packet_inc_alive_timeouts(ssh) > + options.client_alive_count_max) { + sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id)); + logit("Timeout, client not responding from %s", remote_id); +diff --git a/sshd_config.5 b/sshd_config.5 +index a555e7e..a5815d3 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -545,9 +545,6 @@ is set to 15, and + .Cm ClientAliveCountMax + is left at the default, unresponsive SSH clients + will be disconnected after approximately 45 seconds. +-Setting a zero +-.Cm ClientAliveCountMax +-disables connection termination. + .It Cm ClientAliveInterval + Sets a timeout interval in seconds after which if no data has been received + from the client, +-- +2.25.1 + diff --git a/src/openssh/patch/series b/src/openssh/patch/series index a645ad2583..e320bcab21 100644 --- a/src/openssh/patch/series +++ b/src/openssh/patch/series @@ -1 +1,2 @@ 0001-Put-style-as-line-number-to-ssh-session-environment-.patch +0002-Revert-commit-69334996-make-sshd_config-ClientAliveC.patch