OpenSSH Session Timeouts

It is often desirable to terminate SSH sessions after they have been sitting idle for a period of time. If you do any quick searching you will find that many (most?) believe that the sshd configuration settings ClientAliveInterval and ClientAliveCountMax are the place to configure this. Sadly, many security hardening guides[1,2], frameworks, benchmark documents, and tools (which are based on those documents) provide this same incorrect guidance. The ClientAliveInterval and ClientAliveCountMax do not at all exist for the sake of the terminating sessions after mere lack of use for a period of time. These settings in OpenSSH are used to determine unresponsive clients (NOT responsive/functioning but idle clients). The settings are used purely as a heartbeat mechanism.

Below you can see a ClientAliveInterval setting of 60 seconds and my OpenSSH session having zero input or output for 120 seconds and still remaining connected:

[jblaine@testbed1~]$ sudo grep -i client /etc/ssh/sshd_config
ClientAliveCountMax 0
ClientAliveInterval 60
[jblaine@testbed1~]$ count=0; while :; do count=$(( count + 120 )); sleep 120; echo $count seconds have passed; done
120 seconds have passed
240 seconds have passed
^C

Likewise, we see the same behavior with ClientAliveMaxCount set to 1:

[jblaine@testbed1~]$ sudo grep -i client /etc/ssh/sshd_config
ClientAliveCountMax 1
ClientAliveInterval 60
[jblaine@testbed1~]$ count=0; while :; do count=$(( count + 120 )); sleep 120; echo $count seconds have passed; done
120 seconds have passed
240 seconds have passed
^C

OpenSSH has zero functionality built into it to disconnect sessions that are functional but merely idle for a certain period of time. When sshd receives no response from a client after ClientAliveMaxCount * ClientAliveInterval seconds, it means we are considering the client unresponsive network-wise and sshd will terminate connection. See client_alive_check() in OpenSSH serverloop.c

How did this misunderstanding come about? The usual suspects: Echo chambers and people copying and pasting without testing. But I also blame the ClientAliveInterval section of the man page for sshd which uses the overloaded term “inactive” where it should use the word “unresponsive”. As such, I’ve created a pull request.

Leave a Reply

Your email address will not be published. Required fields are marked *