Archive for May, 2016

when openssh will kick out idle users ?

when reading CIS security baseline. it mentions following lines:

Having no timeout value associated with a connection could allow an unauthorized user access to another user’s ssh session (e.g. user walks away from their computer and doesn’t lock the screen). Setting a timeout value at least reduces the risk of this happening..
While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent.

Review our settings:
ClientAliveInterval 300
ClientAliveCountMax 1

According to man sshd_config
If ClientAliveInterval (see below) is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. This option applies to protocol version 2 only.

Interesting thing is: you won’t be kicked out after 45s if you set as above with Protocol 2.

From my test: the timeout will ONLY work when you set ClientAliveCountMax to 0. and idle time set to what you want kick out the user.

1 Comment