[openssh]: Restore behavior of ClientAliveCountMax=0 (#12549) (#12591)

* [openssh]: Restore behavior of ClientAliveCountMax=0

OpenSSH 8.2 changed the behavior of ClientAliveCountMax=0 such that
setting it to 0 disables connection-killing entirely when the connection
is idle. Revert that change.

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
This commit is contained in:
Saikrishna Arcot 2022-11-03 04:23:29 -07:00 committed by GitHub
parent d2540ae312
commit 694136ff38
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 51 additions and 2 deletions

View File

@ -424,7 +424,7 @@ rm /files/etc/ssh/sshd_config/ClientAliveCountMax
touch /files/etc/ssh/sshd_config/EmptyLineHack
rename /files/etc/ssh/sshd_config/EmptyLineHack ""
set /files/etc/ssh/sshd_config/ClientAliveInterval 900
set /files/etc/ssh/sshd_config/ClientAliveCountMax 1
set /files/etc/ssh/sshd_config/ClientAliveCountMax 0
ins #comment before /files/etc/ssh/sshd_config/ClientAliveInterval
set /files/etc/ssh/sshd_config/#comment[following-sibling::*[1][self::ClientAliveInterval]] "Close inactive client sessions after 15 minutes"
save

View File

@ -1,6 +1,6 @@
# fips packages
FIPS_VERSION = 0.3
FIPS_VERSION = 0.4
FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u3+fips
FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u1+fips
FIPS_PYTHON_MAIN_VERSION = 3.9

View File

@ -0,0 +1,48 @@
From 2bc575c74aa811a60682e989d07675b8e7ac8a12 Mon Sep 17 00:00:00 2001
From: Saikrishna Arcot <sarcot@microsoft.com>
Date: Thu, 13 Oct 2022 13:45:17 -0700
Subject: [PATCH] Revert commit 69334996: make
sshd_config:ClientAliveCountMax=0 disable the connection-killing behavior
SONiC (and others) use this feature to kill connections when the session
is idle after some duration of time. OpenSSH 8.2 defined setting
ClientAliveCountMax=0, but by doing so, broke the current use case of
it.
Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
---
serverloop.c | 3 +--
sshd_config.5 | 3 ---
2 files changed, 1 insertion(+), 5 deletions(-)
diff --git a/serverloop.c b/serverloop.c
index 48d936d..1b30498 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -184,8 +184,7 @@ client_alive_check(struct ssh *ssh)
int r, channel_id;
/* timeout, check to see how many we have had */
- if (options.client_alive_count_max > 0 &&
- ssh_packet_inc_alive_timeouts(ssh) >
+ if (ssh_packet_inc_alive_timeouts(ssh) >
options.client_alive_count_max) {
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
logit("Timeout, client not responding from %s", remote_id);
diff --git a/sshd_config.5 b/sshd_config.5
index a555e7e..a5815d3 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -545,9 +545,6 @@ is set to 15, and
.Cm ClientAliveCountMax
is left at the default, unresponsive SSH clients
will be disconnected after approximately 45 seconds.
-Setting a zero
-.Cm ClientAliveCountMax
-disables connection termination.
.It Cm ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received
from the client,
--
2.25.1

View File

@ -1 +1,2 @@
0001-Put-style-as-line-number-to-ssh-session-environment-.patch
0002-Revert-commit-69334996-make-sshd_config-ClientAliveC.patch