Set SSH idle timeout Ubuntu 20.04
As of the more recent versions of openssh server, there is no way to configure an inactivity/idle timeout via /etc/ssh/sshd_config.
While one can find a great many references saying to set ClientAliveCountMax 0 in conjunction with ClientAliveInterval N to create an inactivity/idle timeout, evidently that was not an intended ability and has now been intentionally closed.
The relevant change to the sshd_config man pages for ClientAliveCountMax is this additional sentence: "Setting a zero ClientAliveCountMax disables connection termination."
Some have submitted bug reports against openssh, in particular this one and this one. Some particularly relevant excerpts:
ClientAliveCountMax=0 has never been specified to work as an idle timeout. If it did that then it was by accident and would be unreliable. E.g. if the client specified it's own ServerAliveTimeout or kept a forwarded TCP connection open then it would never fire.
and
If you need a idle timeout, then I suggest looking at shell features (e.g. bash's TMOUT) or something like a PAM module.
user2149308
Updated on September 18, 2022Comments
-
user2149308 over 1 year
I want incoming ssh-sessions to automatically disconnect upon inactivity for a security-critical server.
I've set the following settings
TCPKeepAlive no ClientAliveInterval 30 ClientAliveCountMax 0I would expect sshd not to send KeepAlive-Packages due to
TCPKeepAliveandClientAliveCountMax- and my sessions to timeout after 30 seconds. On top of that I thinkTCPKeepAlivecould be left at its default which should beyes.I've checked existing sessions like that:
root@<server>:/etc/apache2# w 06:53:51 up 2 days, 21:25, 2 users, load average: 0,00, 0,00, 0,00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT _____-ad pts/0 ____________ Do11 6.00s 0.99s 0.00s sshd: _____-admin [priv] _____-us pts/1 ____________ 06:40 13:26 0.02s 0.02s -bashThe sessions won't timeout...
I restarted sshd of course.
root@<server>:/etc/apache2# sshd -T | grep -i "ClientAlive" clientaliveinterval 30 clientalivecountmax 0Could the client still be sending KeepAlive-Packages? I cannot control all versions of clients that connect..
References: https://www.golinuxcloud.com/disconnect-idle-ssh-session-tcpkeepaliv-linux/ https://secscan.acron.pl/centos7/5/2/13
EDIT:
TCPKeepAlive yesdoesn't change the behaviour, sessions still linger. I also started a new session after I restarted sshd to avoid having old settings in my ssh-session.EDIT2: Added keyword "incoming" to the description above to make it clearer, that I want my ssh server (sshd) to drop connections after an idle timeout, because users might forget about their open (and unsed) ssh sessions.
EDIT3: Just for information - used sshd version:
root@<server>:/etc/apache2# dpkg -l openssh-server Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig Löschen/Halten | Status=Nicht/Installiert/Config/U=Entpackt/halb konFiguriert/ Halb installiert/Trigger erWartet/Trigger anhängig |/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schlecht) ||/ Name Version Architektur Beschreibung +++-==============-==================-============-================================================================= ii openssh-server 1:8.2p1-4ubuntu0.1 amd64 secure shell (SSH) server, for secure access from remote machines root@<server>:/etc/apache2# sshd -V unknown option -- V OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020Working as expected in
- Debian 10 (OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d 10 Sep 2019)*
- Ubuntu 16.04 (OpenSSH_7.2p2 Ubuntu-4ubuntu2.8, OpenSSL 1.0.2g 1 Mar 2016)
*For Debian 10 I wanted to compare
sshd -T. Options that differ:casignaturealgorithms,gssapikexalgorithms,hostbasedacceptedkeytypes,hostkeyalgorithms,kexalgorithms,passwordauthentication,permitrootlogin,pubkeyacceptedkeytypes,pubkeyauthoptions,securitykeyproviderI've only set
passwordauthentication noI've connected from the same host, the only difference is I used pubkey authentication for the server in question and password authentication for the Debian 10 server.
Sorry that it's getting long.. It kinda turns into a bug report..
On Debian 10:
-
ClientAliveInterval 10,ClientAliveCountMax 3:ssh -vrecords the messagedebug1: client_input_channel_req: channel 0 rtype [email protected] reply 1every 10 seconds -
ClientAliveInterval 10,ClientAliveCountMax 0: session disconnects after 10 seconds.
On Ubuntu 20.04:
-
ClientAliveInterval 10,ClientAliveCountMax 0:ssh -vrecords the messagedebug1: client_input_channel_req: channel 0 rtype [email protected] reply 1every 10 seconds
-
Rinzwind almost 4 yearsYou do restart ssh after the alterations? :) Cuz what you do here is correct.
-
user2149308 almost 4 yearsI didn't restart
ssh, butsshd. Thatsshdsees the correct settings I also verified withsshd -T. I even didsystemctl stop sshd; netstat -tulpenand it showed nothing listening on port 22, so I started sshd again. But the behaviour is unchanged. I'll add the sshd version to the post and check the behaviour on other servers (Ubuntu 16.04/18.04, SLES)... I doubt it's a bug though -
Doug Smythies almost 4 yearsI observe a difference in the man page for sshd_config between Ubuntu server 16.04 and 20.04: under ClientAliveCountMax 16.04 does not have this partSetting a zero ClientAliveCountMax disables connection termination.I have repeated all of your work and got the same results. With tcpdump, I observe a packet sent to and a reply from the client no matter the settings. -
Doug Smythies almost 4 yearsinteresting related reading, particularly post #10.
-
Doug Smythies almost 4 years
-
user2149308 almost 4 yearsYou're really an ssh expert Doug! Thanks for your time and effort! I'll give TMOUT a shot then =) Since your comment answers the question, do you want to write an answer? I'll gladly accept it =)
