Posts Tagged ssh

when openssh will kick out idle users ?

when reading CIS security baseline. it mentions following lines:

Having no timeout value associated with a connection could allow an unauthorized user access to another user’s ssh session (e.g. user walks away from their computer and doesn’t lock the screen). Setting a timeout value at least reduces the risk of this happening..
While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent.

Review our settings:
ClientAliveInterval 300
ClientAliveCountMax 1

According to man sshd_config
If ClientAliveInterval (see below) is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. This option applies to protocol version 2 only.

Interesting thing is: you won’t be kicked out after 45s if you set as above with Protocol 2.

From my test: the timeout will ONLY work when you set ClientAliveCountMax to 0. and idle time set to what you want kick out the user.

1 Comment

ssh: access denied for user

Issue:
Jun 20 03:18:04 localhost sshd[512]: Failed password for iamid from 10.x.x.1 port 44241 ssh2
Jun 20 03:18:04 localhost sshd[513]: fatal: Access denied for user iamid by PAM account configuration

check /var/log/secure, got above messages.

tips to troubleshooting:

1. /etc/nologin exists or not, if exists, remove it.
2. /etc/security/access.conf, whether your group/user exists in allow list.

if still have issue, turn on DEBUG for sshd.

,

No Comments

ssh_exchange_identification: Connection closed by remote host

What’s wrong with the server ?

debug1: identity file /export/home/intprd/.ssh/id_dsa type 2
ssh_exchange_identification: Connection closed by remote host
Connection closed

if your sshd is busy, you may consider to increase the MaxStartups 10 -> MaxStartups 100, change the value according to your request.

more details you can get by turn debug on for sshd server LogLevel DEBUG

If you got error msg like following from messages/secure logs.
May 30 02:49:14 localhost sshd[19458]: [ID 800047 auth.debug] debug1: drop connection #10
May 30 02:49:15 localhost sshd[19458]: [ID 800047 auth.debug] debug1: drop connection #10

which means you reach MaxStartups 10 now.

No Comments