For a long time now I’ve suffered through a modem which disconnects any TCP session which has been idle for 15 minutes. For the most part this behavior is not problematic, except for SSH. I’ve gotten into the habit of trying to leave all of my remote SSH sessions running a program with continuous feedback such as top, htop, saidar, iftop, or watch. Of course there are plenty of times in the middle of work I don’t think to run a program and do some research only to come back to a dead SSH connection. I decided to finally address this issue and figure out how to send some sort of keep-alive. There are 2 options which can be used: ServerAliveInterval and TCPKeepAlive. Each of these can be used alone or together but there are benefits and drawbacks to each.

I haven't written about this issue yet but felt I should say something as it took most of my last week in resolving. I've read a lot about people dealing with this problem and yet very few seem to truly understand the implications. The bottom line as far as I'm concerned is that all Debian and Ubuntu systems built with the vulnerable package should be considered compromised. And that means a lot more work is needed to secure the systems than just regenerating ssh keys and ssl certificates. Now, I realize that rebuilding all machines might be too much work for many sysadmins. My plan is to rebuild all my host machines and simply consider my virtualized guests to be compromised. Whether that is a wise idea remains to be seen. At a minimum people should not only update all of their keys and certificates but also reset all passwords on the system. At that point one can just hope that no one compromised their machines during the extended period of vulnerability.

When working on backup systems I hacked together a script that would allow a set of commands, sometimes with substitutions, through a single ssh key. I figured someone else must have this needs and have designed a more robust program. So far the closet thing I have found it authprogs. It has some features my script lacks but lacks some features that my script possesses. So I’m not sure it I’ll use it or just borrow ideas to improve my script.

• The Authprogs SSH Command Authenticator