diff options
Diffstat (limited to 'lib/ssh/doc/src/hardening.xml')
-rw-r--r-- | lib/ssh/doc/src/hardening.xml | 103 |
1 files changed, 62 insertions, 41 deletions
diff --git a/lib/ssh/doc/src/hardening.xml b/lib/ssh/doc/src/hardening.xml index c1d3f7669c..cc530ace0e 100644 --- a/lib/ssh/doc/src/hardening.xml +++ b/lib/ssh/doc/src/hardening.xml @@ -5,14 +5,14 @@ <header> <copyright> <year>2017</year> - <year>2020</year> + <year>2022</year> <holder>Ericsson AB. All Rights Reserved.</holder> </copyright> <legalnotice> Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - + http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software @@ -59,43 +59,64 @@ However, some measures could be taken in the configuration of the SSH server to increase the resilence. The options to use are:</p> - <taglist> - <tag><seetype marker="ssh#hello_timeout_daemon_option">hello_timeout</seetype></tag> - <item> - If the client fails to send the first ssh message after a tcp connection setup - within this time (in milliseconds), the connection is closed. - The default value is 30 seconds. This is actualy a generous time, so it can lowered - to make the daemon less prone to DoS attacks. - </item> - <tag><seetype marker="ssh#negotiation_timeout_daemon_option">negotiation_timeout</seetype></tag> - <item> - Maximum time in milliseconds for the authentication negotiation. - If the client fails to log in within this time, the connection is closed. - The default value is 2 minutes. It is quite a long time, but can lowered if the client is - supposed to be fast like if it is a program logging in. - </item> - <tag><seeerl marker="ssh#hardening_daemon_options--max_sessions">max_sessions</seeerl></tag> - <item> - The maximum number of simultaneous sessions that are accepted at any time for this daemon. - This includes sessions that are being authorized. The default is that an unlimited number of - simultaneous sessions are allowed. It is a good candidate to set if the capacity of the server - is low or a capacity margin is needed. - </item> - <tag><seeerl marker="ssh#hardening_daemon_options--max_channels">max_channels</seeerl></tag> - <item> - The maximum number of channels that are accepted for each connection. The default is unlimited. - </item> - <tag><seeerl marker="ssh#hardening_daemon_options--parallel_login">parallel_login</seeerl></tag> - <item> - If set to false (the default value), only one login is handled at a time. - If set to true, the number of simultaneous login attempts are limited by the value of - <seeerl marker="ssh#hardening_daemon_options--max_sessions">max_sessions</seeerl> option. - </item> - <tag><seetype marker="ssh#max_idle_time_common_option">idle_time<!--sic!--></seetype></tag> - <item> - Sets a time-out on a connection when no channels are open. Defaults to infinity. - </item> - </taglist> + <section> + <title>Counters and parallelism</title> + <taglist> + <tag><seeerl marker="ssh#hardening_daemon_options--max_sessions">max_sessions</seeerl></tag> + <item> + The maximum number of simultaneous sessions that are accepted at any time for this daemon. + This includes sessions that are being authorized. The default is that an unlimited number of + simultaneous sessions are allowed. It is a good candidate to set if the capacity of the server + is low or a capacity margin is needed. + </item> + <tag><seeerl marker="ssh#hardening_daemon_options--max_channels">max_channels</seeerl></tag> + <item> + The maximum number of channels that are accepted for each connection. The default is unlimited. + </item> + <tag><seeerl marker="ssh#hardening_daemon_options--parallel_login">parallel_login</seeerl></tag> + <item> + If set to false (the default value), only one login is handled at a time. + If set to true, the number of simultaneous login attempts are limited by the value of the + <seeerl marker="ssh#hardening_daemon_options--max_sessions">max_sessions</seeerl> option. + </item> + </taglist> + </section> + + <section> + <title>Timeouts</title> + <taglist> + <tag><seetype marker="ssh#hello_timeout_daemon_option">hello_timeout</seetype></tag> + <item> + If the client fails to send the first ssh message after a tcp connection setup + within this time (in milliseconds), the connection is closed. + The default value is 30 seconds. This is actually a generous time, so it can lowered + to make the daemon less prone to DoS attacks. + </item> + <tag><seetype marker="ssh#negotiation_timeout_daemon_option">negotiation_timeout</seetype></tag> + <item> + Maximum time in milliseconds for the authentication negotiation counted from the TCP connection establishment. + If the client fails to log in within this time the connection is closed. + The default value is 2 minutes. It is quite a long time, but can lowered if the client is + supposed to be fast like if it is a program logging in. + </item> + <tag><seetype marker="ssh#max_idle_time_common_option">idle_time<!--sic!--></seetype></tag> + <item> + Sets a time-out on a connection when no channels are left after closing the final one. + It defaults to infinity. + </item> + <tag><seetype marker="ssh#max_initial_idle_time_daemon_option">max_initial_idle_time</seetype></tag> + <item> + Sets a time-out on a connection that will expire if no channel is opened on the connection. + The timeout is started when the authentication phase is completed. + It defaults to infinity. + </item> + </taglist> + <p>A figure clarifies when a timeout is started and when it triggers: + </p> + <image file="ssh_timeouts.jpg"> + <icaption>SSH server timeouts</icaption> + </image> + </section> </section> @@ -170,7 +191,7 @@ fun(User, Password, _PeerAddress, State) -> end. </code> <p>If a public key is used for logging in, there is normally no checking of the user name. It - could be enabled by setting the option + could be enabled by setting the option <seeerl marker="ssh#option-pk_check_user"><c>pk_check_user</c></seeerl> to <c>true</c>. In that case the pwdfun will get the atom <c>pubkey</c> in the password argument. @@ -251,7 +272,7 @@ end. <code> ssh:daemon(1234, [{id_string,"hi there"}, ... ]). </code> - <p>and the deamon will present itself as:</p> + <p>and the daemon will present itself as:</p> <pre>SSH-2.0-hi there</pre> <p>It is possible to replace the string with one randomly generated for each connection attempt. See the reference manual for <seetype marker="ssh#id_string_common_option">id_string</seetype>. |