Linux and BSD security. Limit time of idle ssh sessions

Written by
Date: 2011-02-07 10:36:30 00:00


One of the best security advice is to keep strong passwords, but what happens if even if your users have the strongest passwords, they leave their ssh session open, and unattended. This means that anyone can approach to the PC and just using the passwd command, may change the password, and thus gain access to the server.

So, how to solve this, the best way is to disconnect any idle ssh connection, we’ll use ClientAliveInterval and ClientAliveCountMax to accomplish that.

From the man page:

ClientAliveCountMax: Sets the number of client alive messages (see below) which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive (below). The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive. The default value is 3. If ClientAliveInterval (see below) is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. This option applies to protocol version 2 only.

ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. This option applies to protocol version 2 only.

Limit the time idle ssh session may stay open

We’ll in this example set the maximum time to 1 minute idle, so open sshd_config file with your favorite text editor. (as root)

vim /etc/ssh/sshd_config

And be sure this options are set:

ClientAliveInterval 60
ClientAliveCountMax 0

This way after 60 seconds, the ssh session will be terminated, with no keep alive package even being sent. You may adjust the idle time with ClientAliveInterval, set it in seconds to the time you think is enough for your users.