1 files changed, 62 insertions, 41 deletions

diff --git a/lib/ssh/doc/src/hardening.xml b/lib/ssh/doc/src/hardening.xml
index c1d3f7669c..cc530ace0e 100644
--- a/lib/ssh/doc/src/hardening.xml
+++ b/lib/ssh/doc/src/hardening.xml
@@ -5,14 +5,14 @@
   <header>
     <copyright>
       <year>2017</year>
-      <year>2020</year>
+      <year>2022</year>
       <holder>Ericsson AB. All Rights Reserved.</holder>
     </copyright>
     <legalnotice>
       Licensed under the Apache License, Version 2.0 (the "License");
       you may not use this file except in compliance with the License.
       You may obtain a copy of the License at
- 
+
           http://www.apache.org/licenses/LICENSE-2.0
 
       Unless required by applicable law or agreed to in writing, software
@@ -59,43 +59,64 @@
     However, some measures could be taken in the configuration of the SSH server to increase the resilence.
     The options to use
     are:</p>
-    <taglist>
-      <tag><seetype marker="ssh#hello_timeout_daemon_option">hello_timeout</seetype></tag>
-      <item>
-	If the client fails to send the first ssh message after a tcp connection setup
-	within this time (in milliseconds), the connection is closed.
-	The default value is 30 seconds. This is actualy a generous time, so it can lowered
-	to make the daemon less prone to DoS attacks.
-      </item>
-      <tag><seetype marker="ssh#negotiation_timeout_daemon_option">negotiation_timeout</seetype></tag>
-      <item>
-	Maximum time in milliseconds for the authentication negotiation.
-	If the client fails to log in within this time, the connection is closed.
-	The default value is 2 minutes. It is quite a long time, but can lowered if the client is
-	supposed to be fast like if it is a program logging in.
-      </item>
-      <tag><seeerl marker="ssh#hardening_daemon_options--max_sessions">max_sessions</seeerl></tag>
-      <item>
-	The maximum number of simultaneous sessions that are accepted at any time for this daemon.
-	This includes sessions that are being authorized. The default is that an unlimited number of
-	simultaneous sessions are allowed. It is a good candidate to set if the capacity of the server
-	is low or a capacity margin is needed.
-      </item>
-      <tag><seeerl marker="ssh#hardening_daemon_options--max_channels">max_channels</seeerl></tag>
-      <item>
-	The maximum number of channels that are accepted for each connection. The default is unlimited.
-      </item>
-      <tag><seeerl marker="ssh#hardening_daemon_options--parallel_login">parallel_login</seeerl></tag>
-      <item>
-	If set to false (the default value), only one login is handled at a time.
-	If set to true, the number of simultaneous login attempts are limited by the value of
-	<seeerl marker="ssh#hardening_daemon_options--max_sessions">max_sessions</seeerl>  option.
-      </item>
-      <tag><seetype marker="ssh#max_idle_time_common_option">idle_time<!--sic!--></seetype></tag>
-      <item>
-	Sets a time-out on a connection when no channels are open. Defaults to infinity.
-      </item>
-    </taglist>
+    <section>
+      <title>Counters and parallelism</title>
+      <taglist>
+	<tag><seeerl marker="ssh#hardening_daemon_options--max_sessions">max_sessions</seeerl></tag>
+	<item>
+	  The maximum number of simultaneous sessions that are accepted at any time for this daemon.
+	  This includes sessions that are being authorized. The default is that an unlimited number of
+	  simultaneous sessions are allowed. It is a good candidate to set if the capacity of the server
+	  is low or a capacity margin is needed.
+	</item>
+	<tag><seeerl marker="ssh#hardening_daemon_options--max_channels">max_channels</seeerl></tag>
+	<item>
+	  The maximum number of channels that are accepted for each connection. The default is unlimited.
+	</item>
+	<tag><seeerl marker="ssh#hardening_daemon_options--parallel_login">parallel_login</seeerl></tag>
+	<item>
+	  If set to false (the default value), only one login is handled at a time.
+	  If set to true, the number of simultaneous login attempts are limited by the value of the
+	  <seeerl marker="ssh#hardening_daemon_options--max_sessions">max_sessions</seeerl> option.
+	</item>
+      </taglist>
+    </section>
+    
+    <section>
+      <title>Timeouts</title>
+      <taglist>
+	<tag><seetype marker="ssh#hello_timeout_daemon_option">hello_timeout</seetype></tag>
+	<item>
+	  If the client fails to send the first ssh message after a tcp connection setup
+	  within this time (in milliseconds), the connection is closed.
+	  The default value is 30 seconds. This is actually a generous time, so it can lowered
+	  to make the daemon less prone to DoS attacks.
+	</item>
+	<tag><seetype marker="ssh#negotiation_timeout_daemon_option">negotiation_timeout</seetype></tag>
+	<item>
+	  Maximum time in milliseconds for the authentication negotiation counted from the TCP connection establishment.
+	  If the client fails to log in within this time the connection is closed.
+	  The default value is 2 minutes. It is quite a long time, but can lowered if the client is
+	  supposed to be fast like if it is a program logging in.
+	</item>
+	<tag><seetype marker="ssh#max_idle_time_common_option">idle_time<!--sic!--></seetype></tag>
+	<item>
+	  Sets a time-out on a connection when no channels are left after closing the final one.
+	  It defaults to infinity.
+	</item>
+	<tag><seetype marker="ssh#max_initial_idle_time_daemon_option">max_initial_idle_time</seetype></tag>
+	<item>
+	  Sets a time-out on a connection that will expire if no channel is opened on the connection.
+	  The timeout is started when the authentication phase is completed.
+	  It defaults to infinity.
+	</item>
+      </taglist>
+      <p>A figure clarifies when a timeout is started and when it triggers:
+      </p>
+      <image file="ssh_timeouts.jpg">
+	<icaption>SSH server timeouts</icaption>
+      </image>
+    </section>
   </section>
 
   
@@ -170,7 +191,7 @@ fun(User, Password, _PeerAddress, State) ->
 end.
 </code>
 	<p>If a public key is used for logging in, there is normally no checking of the user name. It
-	could be enabled by setting the option 
+	could be enabled by setting the option
 	<seeerl marker="ssh#option-pk_check_user"><c>pk_check_user</c></seeerl>
 	to <c>true</c>.
 	In that case the pwdfun will get the atom <c>pubkey</c> in the password argument.
@@ -251,7 +272,7 @@ end.
       <code>
 	ssh:daemon(1234, [{id_string,"hi there"}, ... ]).
       </code>
-      <p>and the deamon will present itself as:</p>
+      <p>and the daemon will present itself as:</p>
       <pre>SSH-2.0-hi there</pre>
       <p>It is possible to replace the string with one randomly generated for each connection attempt.
       See the reference manual for <seetype marker="ssh#id_string_common_option">id_string</seetype>.