Re: SSH completely locks up if you have a NOT PERFECT con

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 8/28/2014 9:20 AM, Anonymous wrote:
This is a SSH BUG !

It sounds like your main problem is with the specification of TCP, not SSH. TCP/IP was developed with a few overarching assumptions:

1) Your own (source interface) IP#s and possibly the server's didn't change "often". I am pretty sure its original designers didn't develop TCP in an environment "featuring" bouncing IP#s from flaky WiFi spots' DHCP implementations issuing you a new IP# all the time when your link resumes.

2) The route path to your server was reasonably stable, and fairly static. Most of the transient path-'outages' are usually due to some leg's BGP changes or flakiness. Occasionally, connections get half-broken, even if both sides don't notice any especial "outage" to the Internet-at-large.

Projects with security as their first priority generally don't have the mandate, let alone resources to try to work around all of the problems caused by the "modern flaky reality" of Internet connectivity.

TCP's always had a problem of detecting half-broken connections on the server side when the normal "idle" state of the server is awaiting for input from the client. With TCP - unless you enable KEEPALIVES or build in a "HEARTBEAT" into your protocol, you generally don't know the link's dead until you try to send data to your endpoint.

If you really do want "auto-closure" of half-disconnected connections, there are many options open to you, ranging from a mix of enabling TCP keep-alives with semi-shortish timeout intervals (note, this isn't protected by any crypto or MAC of any kind), to enabling an "SSH inband 'ping'" to more securely implement a "heartbeat" type of functionality.

Read the manuals, educate yourself about your kernel's TCP stack tuning knobs (if you can even get at those on your system), but don't shriek like a lunatic to every software project that inherits the limitations of underlying protocols and demand that they redress the accumulated shortcomings of decades of ad-hoc and often chaotic "progress" that have exposed the cracks in a 30+ year old networking specification.

Not an SSH Bug, but a USER Bug.

=R=
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux