Bug 1952411

Summary: Sshd randomly drops client connections when a RekeyLimit timeout is specified and ClientAliveCountMax is zero
Product: Red Hat Enterprise Linux 8 Reporter: Eric Negaard <eric.negaard>
Component: opensshAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.3CC: asosedki, dbelyavs, dchong, huchaudh, jjelen, mbliss, mhaicman, mhavrila, peter.vreman
Target Milestone: betaKeywords: Reopened, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-29 13:43:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Negaard 2021-04-22 08:57:43 UTC 
Description of problem:

When both a RekeyLimit timeout is specified and ClientAliveCountMax is set to zero, sshd disconnects sessions even when input has been detected from the client within the specified ClientAliveInterval.

Version-Release number of selected component (if applicable):

8.0p1

How reproducible:

Always

Steps to Reproduce:
1. Edit /etc/ssh/sshd_config, set RekeyLimit to "512M 120", ClientAliveCountMax to 0 and ClientAliveInterval to 60
2. Restart sshd
3. Create a connection to the server via ssh, and type "date" every 10 seconds

Actual results:

The server disconnects the client session even though input was received from the client within the last ClientAliveInterval  seconds. In the example below, the client produced input at 8:39:25 UTC and the server disconnected the session 15 seconds later at 8:39:40 UTC even though ClientAliveInterval is set to 60.

Client side:

...
$ date
Thu Apr 22 08:39:02 UTC 2021
$ date
Thu Apr 22 08:39:19 UTC 2021
$ date
Thu Apr 22 08:39:25 UTC 2021
$ Connection to SERVERNAME closed by remote host.
Connection to SERVERNAME closed.

Server side:

Apr 22 08:39:40 SERVERNAME sshd[1428458]: Timeout, client not responding from user USERNAME CLIENT-IP port 37998

Expected results:

It is expected that the server allows the connection to remain open as long as input is received from the client every ClientAliveInterval seconds.

Additional info:

This is a re-open of Bug #1686065 because the fix for that bug appears to be incomplete.
Comment 3 Dmitry Belyavskiy 2021-04-23 12:35:19 UTC 
Would you mind to test the proposed patch?
Comment 6 Alexander Sosedkin 2021-04-27 09:20:18 UTC 
Note: the meaning of setting ClientAliveCountMax to 0 used to be undefined.
In newer openssh versions it disables connection termination [1] altogether.

The documentation suggests that the disconnect timeout on inactivity
is a product of ClientAliveCountMax and ClientAliveInterval.

[1] https://github.com/openssh/openssh-portable/commit/69334996ae203c51c70bf01d414c918a44618f8e