[Bug 2627] Documentation update: semantic of ClientAliveCountMax 0 unclear

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Nov 28 09:22:32 AEDT 2023


Christopher Maynard <christopher.maynard at igt.com> changed:

           What    |Removed                     |Added
                 CC|                            |christopher.maynard at igt.com

--- Comment #6 from Christopher Maynard <christopher.maynard at igt.com> ---
(In reply to Damien Miller from comment #2)
> I committed an alternate change: ClientAliveCountMax=0 will disable
> connection-killing entirely. This will be released in OpenSSH 8.2

I think this was the absolute wrong thing to do.  This bug report was
opened to clarify the documentation about the exact behavior of setting
ClientAliveCountMax=0, not to change the behavior of it, and in doing
so completely break backward-compatibility in the process.

Our organization has just been bitten by this change where previously
idle SSH sessions would automatically time out and terminate after the
configured value of ClientAliveInterval, as expected.  Now this no
longer happens and idle sessions remain active indefinitely.  I fail to
see any possible positive use case for SSH sessions to remain active
indefinitely, and in fact, the new behavior is now perceived as an
increased security risk.

How many idle SSH sessions are unknowingly remaining active now, I
wonder?  In today's security conscious world, this change in behavior
is simply terrible and quite frankly inexcusable.

For the benefit of all users, please revert this change.

You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list