[I] SSH Server Lacks Connection and Idle Timeouts (tooling-trusted-releases)

Fri, 03 Apr 2026 11:42:27 -0700 


asf-tooling opened a new issue, #1073:
URL: https://github.com/apache/tooling-trusted-releases/issues/1073

   **ASVS Level(s):** L2-only
   
   **Description:**
   
   ### Summary
   The SSH server configuration lacks keepalive and idle timeout settings. 
Authenticated connections can remain idle indefinitely, exhausting the server's 
connection capacity over time. No automatic cleanup of stale connections exists.
   
   ### Details
   The issue exists in `atr/ssh.py` line 181, where `asyncssh.create_server()` 
is called without keepalive or timeout parameters.
   
   ### Recommended Remediation
   Add keepalive and timeout parameters to SSH server creation:
   
   ```python
   # In atr/ssh.py, line 181
   server = await asyncssh.create_server(
       # ... existing parameters
       keepalive_interval=30,  # Send keepalive every 30 seconds
       keepalive_count_max=3,  # Close after 3 missed keepalives (90s total)
   )
   ```
   
   This sends keepalive every 30 seconds and closes connections after 3 missed 
keepalives (90 seconds total idle time).
   
   **Optional:** Add configuration options for flexibility:
   
   ```python
   # In configuration
   SSH_KEEPALIVE_INTERVAL = int(os.environ.get('SSH_KEEPALIVE_INTERVAL', '30'))
   SSH_KEEPALIVE_COUNT_MAX = int(os.environ.get('SSH_KEEPALIVE_COUNT_MAX', '3'))
   
   # In SSH server creation
   server = await asyncssh.create_server(
       # ... existing parameters
       keepalive_interval=SSH_KEEPALIVE_INTERVAL,
       keepalive_count_max=SSH_KEEPALIVE_COUNT_MAX,
   )
   ```
   
   ### Acceptance Criteria
   - [ ] keepalive_interval parameter added (30 seconds)
   - [ ] keepalive_count_max parameter added (3 attempts)
   - [ ] Configuration options added for flexibility (optional)
   - [ ] Unit tests verify idle connections are closed
   - [ ] Integration tests verify SSH keepalive behavior
   - [ ] Documentation updated with timeout settings
   - [ ] Manual testing confirms stale connections are cleaned up
   
   ### References
   - Source reports: L2:15.2.2.md
   - Related findings: FINDING-050
   - ASVS sections: 15.2.2
   
   ### Priority
   Medium
   
   ---


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to