freedomofpress / securedrop

GitHub repository for the SecureDrop whistleblower platform. Do not submit tips here!
https://securedrop.org/
Other
3.63k stars 685 forks source link

[Focal] session terminated, ssh service timing out for idle sessions on Focal instances #5779

Open emkll opened 3 years ago

emkll commented 3 years ago

Description

In Focal, it appears (inactive) ssh sessions get terminated after 15 minutes or so with the following error:

Session terminated, killing shell

Because the shell is killed on the server, tmux does not restore the session once a user re-connects to the server via ssh.

Perhaps modifying ClientAliveInterval or ClientAliveCountMax might allow the session to be kept alive, but it appears the shell is being terminated, not the ssh connection. This appears to be a change from Xenial. This does not affect subsequent installs, only idle tmux sessions over ssh.

Terminating idle sessions is generally a good practice, though the benefits may be limited since the tails admin workstation is exclusively used to manage SecureDrop servers.


OSSEC HIDS Notification.
2021 Feb 08 18:29:27

Received From: mon->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Feb  8 18:29:26 mon systemd[1]: ssh.service: Failed with result 'timeout'.

 --END OF NOTIFICATION

OSSEC HIDS Notification.
2021 Feb 08 18:29:27

Received From: mon->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Feb  8 18:29:26 mon systemd[1]: Failed to start OpenBSD Secure Shell server.

 --END OF NOTIFICATION

Steps to Reproduce

Expected Behavior

I am not sure what the best behavior should be here. Should the timeout be handled by ssh, or should the shell handle the timeout. At the very least, an ossec alert should not be send to admins once an idle session is terminated.

Actual Behavior

An ossec alert is sent to an admin (see above).

Comments

Suggestions to fix, any other relevant information.

conorsch commented 3 years ago

Checking the timeouts in the sshd config sounds like the right next step. We also have a longstanding ask to swithc from tmux to byobu in #1118, worth checking on a hardware install whether the behavior there is any different.