[openssh]: Restore behavior of ClientAliveCountMax=0 (sonic-net#12549) (

sonic-net#12591) * [openssh]: Restore behavior of ClientAliveCountMax=0 OpenSSH 8.2 changed the behavior of ClientAliveCountMax=0 such that setting it to 0 disables connection-killing entirely when the connection is idle. Revert that change. Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
yxieca · Nov 3, 2022 · 694136f · 694136f
1 parent d2540ae
commit 694136f
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 2 deletions.
diff --git a/build_debian.sh b/build_debian.sh
@@ -424,7 +424,7 @@ rm /files/etc/ssh/sshd_config/ClientAliveCountMax
 touch /files/etc/ssh/sshd_config/EmptyLineHack
 rename /files/etc/ssh/sshd_config/EmptyLineHack ""
 set /files/etc/ssh/sshd_config/ClientAliveInterval 900
-set /files/etc/ssh/sshd_config/ClientAliveCountMax 1
+set /files/etc/ssh/sshd_config/ClientAliveCountMax 0
 ins #comment before /files/etc/ssh/sshd_config/ClientAliveInterval
 set /files/etc/ssh/sshd_config/#comment[following-sibling::*[1][self::ClientAliveInterval]] "Close inactive client sessions after 15 minutes"
 save

diff --git a/rules/sonic-fips.mk b/rules/sonic-fips.mk
@@ -1,6 +1,6 @@
 # fips packages
 
-FIPS_VERSION = 0.3
+FIPS_VERSION = 0.4
 FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u3+fips
 FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u1+fips
 FIPS_PYTHON_MAIN_VERSION = 3.9

diff --git a/src/openssh/patch/0002-Revert-commit-69334996-make-sshd_config-ClientAliveC.patch b/src/openssh/patch/0002-Revert-commit-69334996-make-sshd_config-ClientAliveC.patch
@@ -0,0 +1,48 @@
+From 2bc575c74aa811a60682e989d07675b8e7ac8a12 Mon Sep 17 00:00:00 2001
+From: Saikrishna Arcot <sarcot@microsoft.com>
+Date: Thu, 13 Oct 2022 13:45:17 -0700
+Subject: [PATCH] Revert commit 69334996: make
+ sshd_config:ClientAliveCountMax=0 disable the connection-killing behavior
+
+SONiC (and others) use this feature to kill connections when the session
+is idle after some duration of time. OpenSSH 8.2 defined setting
+ClientAliveCountMax=0, but by doing so, broke the current use case of
+it.
+
+Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
+---
+ serverloop.c  | 3 +--
+ sshd_config.5 | 3 ---
+ 2 files changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/serverloop.c b/serverloop.c
+index 48d936d..1b30498 100644
+--- a/serverloop.c
++++ b/serverloop.c
+@@ -184,8 +184,7 @@ client_alive_check(struct ssh *ssh)
+ 	int r, channel_id;
+
+ 	/* timeout, check to see how many we have had */
+-	if (options.client_alive_count_max > 0 &&
+-	    ssh_packet_inc_alive_timeouts(ssh) >
++	if (ssh_packet_inc_alive_timeouts(ssh) >
+ 	    options.client_alive_count_max) {
+ 		sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
+ 		logit("Timeout, client not responding from %s", remote_id);
+diff --git a/sshd_config.5 b/sshd_config.5
+index a555e7e..a5815d3 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -545,9 +545,6 @@ is set to 15, and
+ .Cm ClientAliveCountMax
+ is left at the default, unresponsive SSH clients
+ will be disconnected after approximately 45 seconds.
+-Setting a zero
+-.Cm ClientAliveCountMax
+-disables connection termination.
+ .It Cm ClientAliveInterval
+ Sets a timeout interval in seconds after which if no data has been received
+ from the client,
+-- 
+2.25.1
+
diff --git a/src/openssh/patch/series b/src/openssh/patch/series
@@ -1 +1,2 @@
 0001-Put-style-as-line-number-to-ssh-session-environment-.patch
+0002-Revert-commit-69334996-make-sshd_config-ClientAliveC.patch