James Harper wrote:
# russm> twb: TCPKeepalive is spoofable at the TCP layer, where ServerAliveFoo sends ssh ping commands inside the encrypted connection # twb> why does it matter if someone spoofs a keepalive? # russm> they could attack your routing and hijack the connection without you noticing that the other end had actually gone away # russm> whether that's a problem depends on what you're doing with the connection, of course # russm> if you're expecting asynchronous data to come back, then you'd never notice the other end was gone # russm> if you're doing interactive, or request/response then obviously you'd notice at a higher layer (perhaps the human layer)
I don't buy that. keepalives don't necessarily make TCP hijacking any more or less possible, and would be useless for SSH unless the attacker also knows the current state of the encryption state machine, and if they know that then you are looking for the problem in the wrong place.
I'm open to being enlightened though!
I don't pretend to grok the commentary above :-( It was convincing enough for me to cargo-cult into my ssh_config.