1

I am using sshd on Ubuntu 16.4 LTE and I am trying to configure my sshd so that when a user is connected fo too much time not doing anything he'll get disconnect by the ssh server.

Kiwy
  • 9,415
  • 13
  • 49
  • 79
Omer Anisfeld
  • 193
  • 2
  • 12

2 Answers2

4

Also, make sure the following parameters are uncommented in /etc/ssh/sshd_config 

ClientAliveInterval 900
ClientAliveCountMax 0

If not, this will also cause disconnection. (Changes will take effect after you restart the sshd, and only for sessions opened afterwards).

tonioc
  • 2,019
  • 13
  • 12
  • way more secure as no one can change this value except root – Kiwy Mar 12 '18 at 16:21
  • 3
    However, easier to work around (even accidentally). If the client, in turn, sets the client-side `ServerAliveInterval` option to something shorter than 900, then the server-side `ClientAliveInterval` will never trigger as long as the client is reachable, no matter how long the user is idling. If the user needs to work with firewalled networks with an overly strict idle connection cut-off, they may set `ServerAliveInterval` as a matter of course. – telcoM Mar 12 '18 at 16:42
  • This does work on older versions of SSH, but [was removed in OpenSSH 8.2](https://unix.stackexchange.com/a/646887/27685). – andrew Apr 26 '21 at 22:41
2

I suggest implementing that in the shell, not the sshd.

From the Advanced Bash-Scripting Guide, section 9.1. Internal Variables:

$TMOUT

If the $TMOUT environmental variable is set to a non-zero
value time, then the shell prompt will time out after time
seconds. This will cause a logout.

To make it harder for the user to unset the variable, you set it in a system-wide login script and make it read-only, with e.g. readonly TMOUT=900.

If you only want the timeout for SSH sessions, make it conditional. For example, if your distribution has /etc/profile.d, you could put this in /etc/profile.d/ssh-timeout.sh:

if [ "$SSH_CONNECTION" != "" ]; then
    readonly TMOUT=900    # a 15-minute timeout for SSH connections only
fi
telcoM
  • 87,318
  • 3
  • 112
  • 232
Nils Magnus
  • 205
  • 1
  • 3
  • yes but i want this will take affect only on ssh session's, i don't want that the serial/telnet/ other connection will be affected – Omer Anisfeld Mar 12 '18 at 16:28
  • That's easy to fix by setting the TMOUT variable only when the `SSH_CONNECTION` variable exists. See my edit above. – telcoM Mar 12 '18 at 16:56