Set SSH idle timeout Ubuntu 20.04
As of the more recent versions of openssh server, there is no way to configure an inactivity/idle timeout via /etc/ssh/sshd_config
.
While one can find a great many references saying to set ClientAliveCountMax 0
in conjunction with ClientAliveInterval N
to create an inactivity/idle timeout, evidently that was not an intended ability and has now been intentionally closed.
The relevant change to the sshd_config man pages for ClientAliveCountMax is this additional sentence: "Setting a zero ClientAliveCountMax disables connection termination.
"
Some have submitted bug reports against openssh, in particular this one and this one. Some particularly relevant excerpts:
ClientAliveCountMax=0 has never been specified to work as an idle timeout. If it did that then it was by accident and would be unreliable. E.g. if the client specified it's own ServerAliveTimeout or kept a forwarded TCP connection open then it would never fire.
and
If you need a idle timeout, then I suggest looking at shell features (e.g. bash's TMOUT) or something like a PAM module.
user2149308
Updated on September 18, 2022Comments
-
user2149308 over 1 year
I want incoming ssh-sessions to automatically disconnect upon inactivity for a security-critical server.
I've set the following settings
TCPKeepAlive no ClientAliveInterval 30 ClientAliveCountMax 0
I would expect sshd not to send KeepAlive-Packages due to
TCPKeepAlive
andClientAliveCountMax
- and my sessions to timeout after 30 seconds. On top of that I thinkTCPKeepAlive
could be left at its default which should beyes
.I've checked existing sessions like that:
root@<server>:/etc/apache2# w 06:53:51 up 2 days, 21:25, 2 users, load average: 0,00, 0,00, 0,00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT _____-ad pts/0 ____________ Do11 6.00s 0.99s 0.00s sshd: _____-admin [priv] _____-us pts/1 ____________ 06:40 13:26 0.02s 0.02s -bash
The sessions won't timeout...
I restarted sshd of course.
root@<server>:/etc/apache2# sshd -T | grep -i "ClientAlive" clientaliveinterval 30 clientalivecountmax 0
Could the client still be sending KeepAlive-Packages? I cannot control all versions of clients that connect..
References: https://www.golinuxcloud.com/disconnect-idle-ssh-session-tcpkeepaliv-linux/ https://secscan.acron.pl/centos7/5/2/13
EDIT:
TCPKeepAlive yes
doesn't change the behaviour, sessions still linger. I also started a new session after I restarted sshd to avoid having old settings in my ssh-session.EDIT2: Added keyword "incoming" to the description above to make it clearer, that I want my ssh server (sshd) to drop connections after an idle timeout, because users might forget about their open (and unsed) ssh sessions.
EDIT3: Just for information - used sshd version:
root@<server>:/etc/apache2# dpkg -l openssh-server Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig Löschen/Halten | Status=Nicht/Installiert/Config/U=Entpackt/halb konFiguriert/ Halb installiert/Trigger erWartet/Trigger anhängig |/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schlecht) ||/ Name Version Architektur Beschreibung +++-==============-==================-============-================================================================= ii openssh-server 1:8.2p1-4ubuntu0.1 amd64 secure shell (SSH) server, for secure access from remote machines root@<server>:/etc/apache2# sshd -V unknown option -- V OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
Working as expected in
- Debian 10 (OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d 10 Sep 2019)*
- Ubuntu 16.04 (OpenSSH_7.2p2 Ubuntu-4ubuntu2.8, OpenSSL 1.0.2g 1 Mar 2016)
*For Debian 10 I wanted to compare
sshd -T
. Options that differ:casignaturealgorithms
,gssapikexalgorithms
,hostbasedacceptedkeytypes
,hostkeyalgorithms
,kexalgorithms
,passwordauthentication
,permitrootlogin
,pubkeyacceptedkeytypes
,pubkeyauthoptions
,securitykeyprovider
I've only set
passwordauthentication no
I've connected from the same host, the only difference is I used pubkey authentication for the server in question and password authentication for the Debian 10 server.
Sorry that it's getting long.. It kinda turns into a bug report..
On Debian 10:
-
ClientAliveInterval 10
,ClientAliveCountMax 3
:ssh -v
records the messagedebug1: client_input_channel_req: channel 0 rtype [email protected] reply 1
every 10 seconds -
ClientAliveInterval 10
,ClientAliveCountMax 0
: session disconnects after 10 seconds.
On Ubuntu 20.04:
-
ClientAliveInterval 10
,ClientAliveCountMax 0
:ssh -v
records the messagedebug1: client_input_channel_req: channel 0 rtype [email protected] reply 1
every 10 seconds
-
Rinzwind almost 4 yearsYou do restart ssh after the alterations? :) Cuz what you do here is correct.
-
user2149308 almost 4 yearsI didn't restart
ssh
, butsshd
. Thatsshd
sees the correct settings I also verified withsshd -T
. I even didsystemctl stop sshd; netstat -tulpen
and it showed nothing listening on port 22, so I started sshd again. But the behaviour is unchanged. I'll add the sshd version to the post and check the behaviour on other servers (Ubuntu 16.04/18.04, SLES)... I doubt it's a bug though -
Doug Smythies almost 4 yearsI observe a difference in the man page for sshd_config between Ubuntu server 16.04 and 20.04: under ClientAliveCountMax 16.04 does not have this part
Setting a zero ClientAliveCountMax disables connection termination.
I have repeated all of your work and got the same results. With tcpdump, I observe a packet sent to and a reply from the client no matter the settings. -
Doug Smythies almost 4 yearsinteresting related reading, particularly post #10.
-
Doug Smythies almost 4 years
-
user2149308 almost 4 yearsYou're really an ssh expert Doug! Thanks for your time and effort! I'll give TMOUT a shot then =) Since your comment answers the question, do you want to write an answer? I'll gladly accept it =)