when openssh will kick out idle users ?


when reading CIS security baseline. it mentions following lines:

Having no timeout value associated with a connection could allow an unauthorized user access to another user’s ssh session (e.g. user walks away from their computer and doesn’t lock the screen). Setting a timeout value at least reduces the risk of this happening..
While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent.

Review our settings:
ClientAliveInterval 300
ClientAliveCountMax 1

According to man sshd_config
If ClientAliveInterval (see below) is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. This option applies to protocol version 2 only.

Interesting thing is: you won’t be kicked out after 45s if you set as above with Protocol 2.

From my test: the timeout will ONLY work when you set ClientAliveCountMax to 0. and idle time set to what you want kick out the user.

  1. #1 by edyliu on 2016-05-31 - 23:37

    Here is more details explanation:

    >>>ClientAliveCountMax is a counter. ClientAliveInterval is a timeout interval.
    >
    >With ClientAliveCountMax == 0 there will be no “client alive packet”
    >sent and I will force a disconnection if there is no traffic within
    >ClientAliveInterval secs.

    yes, that’s how I remember it and that’s why it can be
    “overloaded” and used to disconnect idle clients since nothing is
    actually sent from the server.

    >With ClientAliveCountMax == 1 there will be 1 “client alive packet”
    >sent and I will force a disconnection if there is no traffic and no
    >reply within 2*ClientAliveInterval secs.

    yes, I believe that is correct. You can easily verify that if
    you set up a firewall, for example.

(will not be published)