Keep SSH Sessions Active, Or Reconnect?

borjonx writes "Is it safer to log out of an SSH session, and re-establish it later, or just keep the connection open? Like many of you, I use OpenSSH to connect to my Slackware Linux boxes remotely from Linux and WinXP (putty.exe) clients. At home and at work, I wonder if it would be safer to just leave the connection open (my clients are physically secured, the servers limit connections with hosts.allow). Is it more secure to re-establish the connection over an insecure link (big bad internet) where people can sniff that handshaking, or is it more secure to just remain connected? I connect 1 to 4 times per day, most days."

Catch 22

[SnoopJeDi]

If it's an "insecure link" (which is the whole reason SSH was developed ANYWAY), then ANY connection is technically compromised. You can't just assume one that was established "sometime before" is more secure than a new one now. If you carry your assumptions through consistently, they're both compromised and you should just disconnect.

Re:Sniffing?

[ettlz]

If you're worried that the possibility someone is going to perform an MITM attack on you is greater than infinitesimal

...or the DNS cache gets poisoned, as I once saw. (Thankfully, SSH does a reverse lookup as well and checks the result matches the input, and bails if they don't.)

Re:Anonymous Coward

[mysidia]

What if the vulnerability is a cryptanlytic one in the protocol used by OpenSSH for the key negotiation?

Something like: 2^10 initial key exchanges, reduces the search space for an attacker trying to guess the key

Or certain nonce values turn out to be vulnerable, but not others.

Then more session setups helps the hacker to improve their chances of guessing.

Re:gnu screen

[mirix]

dtach is tiny screen-like app, well, it does just the detach portion of it. Handy if you're running it on something pathetic (hacked router, fe.), and don't need all of GNU screen's bells and whistles.

dtach [sourceforge.net]

Re:Wat

[Anthony Liguori]

The short answer is: Whatever.

It's a little more nuanced than that. To the extent that a long term session is more predictable than a short term session (or vice versa), it may matter. See Timing Analysis of Keystrokes and Timing Attacks on SSH [berkeley.edu].

Re:One-time pad

[Sloppy]

People joke about OTP and say it's infeasible, but seriously: how inconvenient is it to carry around a few gigabytes of pad? It was infeasible 20 years ago but today it sure doesn't sound very burdensome or expensive. The thing is, it's historically so infeasible, that most of today's software doesn't bother to support it. And yet, if our software could use it, I bet plenty of people really would be carrying around randomized flash cards, just for that purpose.

Re:One-time pad

[fbjon]

It's not the carrying around that's burdensome, it's getting the OTP data to wherever you're connecting.

Restarting makes traffic analysis a little easier.

[dweller_below]

I do IT Security for a university. One of my projects is to do some rudimentary traffic analysis of our SSH sessions.

I look for the negotiation between SSH server and client and log connections. Since the negotiation is port independent, I can log the start of SSH sessions, no matter what port they are on. This allows me to:

1) Notice if important systems have sprung a new SSH backdoor.
2) Notice if important systems are SSH'ing out to weird places.
3) Check with local sys-admins and say things like: 'Looks like the Chinese have found your supersecret SSH port. Again. You have proved that TCP/222 and TCP/2222 are not good choices. Maybe this time you want to borrow my HexDice?'

Anywho, my rudimentary traffic analysis can be defeated if you change the SSH negotiation. It can be hindered if you just leave the connections running for days at a time.

So, if you want to annoy people like me, you may want to leave the connections up.

Miles

Re:screen

[_Sprocket_]

Huh? So you're saying somehow screen keeps listening on a port and lets evil hackers connect to it, exploit it, and continue using your screen session?

Can you really be sure it's not just some other vulnerability that is letting someone in?

One of the high-profile compromises Slashdot covered in the past involved screen. Screen itself wasn't attacked. But it did provide numerous sessions (including SSH tunnels) that provided access to internal systems through an otherwise pretty hard perimeter.

Screen rocks; I use it all the time. But one really needs to keep in mind the issues involved in using it. Using it to keep open active SSH sessions would be a practical example of one of those issues.

Re:screen

[tkiesel]

The GNOME encryption utility has this integrated. I established a key for connecting to my server at work in seconds with a few clicks and my remote password.

So Ubuntu, Fedora, etc.. Linux distributions have this solved.

Depends on where you work.

[Ungrounded Lightning]

If there is someone powerful enough to break those systems *and* keep the discovery secret, they're waaay above the league where they'd be interested in your SSH connections. That is, unless you work for the military of a major world power and are known to be transmitting valuable intel.

Or if you work for a hi-tech company with, say, technology that China (for example) wants badly enough to put their version of the NSA to work cracking you and then handing the company's designs to (for example) Huawei.

The company I work for would qualify.

The problem with the tunnel is that it can turn a successful attack on one end into a successful attack on the other. Taking it down when not using it reduces the window of exploitable time. (Which probably still doesn't make a lot of difference for attackers of major-power-intelligence-community level, so never mind. B-) )

Re:screen

[JWSmythe]

    I think his question went beyond the question of how secure the session is, even though he did say it.

    Which is more secure, to leave a shell opened indefinitely, or to close it?

    Unless he's not a normal person, at some point every day, he'll use the restroom. During the work day, he may even go get some food or drinks.

    He admitted to using a Windows machine. I won't even comment on how many viruses and trojans are running around, which may compromise his desktop. All it takes is one virus that gives remote access to his desktop that would give someone a clear shot to his servers.

    As anyone who's worked in an office long enough would know, once in a great while, you'll get dragged away from your desk, and not lock the console. Maybe someone shoulder surfed your password. Maybe you used the same password for your email account, and it was sniffed in the clear (tisk, tisk, should have used an encrypted method).

    Of course, his information may really be worth something. Maybe that root shell will be worth a fortune. What exactly is a dump of the full Bank Of America database worth on the black market? How many fake credit cards can you print up before they reissue every single BoA credit card in circulation? In that case, it would be worth it to visit his home with force. One bump key to the back door, and one silenced shot to the back of the head, and you'd have hours (or days) before you were discovered. As always, there is no security without physical security, and that isn't only the server side of things.

    I'm sure someone can name the XKCD issue which points this out the brute force flaw in any security system. A $5 wrench will break any security, if applied properly.

    I'll assume his information isn't all that interesting, since he can access remotely without some serious levels of security. I'd believe we're talking about a few low traffic web servers, and a newbie admin impressing himself that he can keep his connection up for days.