It is often desirable to terminate SSH sessions after they have been sitting idle for a period of time. If you do any quick searching you will find that many (most?) believe that the sshd configuration settings ClientAliveInterval
and ClientAliveCountMax
are the place to configure this. Sadly, many security hardening guides[1,2], frameworks, benchmark documents, and tools (which are based on those documents) provide this same incorrect guidance. The ClientAliveInterval
and ClientAliveCountMax
do not at all exist for the sake of the terminating sessions after mere lack of use for a period of time. These settings in OpenSSH are used to determine unresponsive clients (NOT responsive/functioning but idle clients). The settings are used purely as a heartbeat mechanism.
Below you can see a ClientAliveInterval
setting of 60 seconds and my OpenSSH session having zero input or output for 120 seconds and still remaining connected:
[jblaine@testbed1~]$ sudo grep -i client /etc/ssh/sshd_config
ClientAliveCountMax 0
ClientAliveInterval 60
[jblaine@testbed1~]$ count=0; while :; do count=$(( count + 120 )); sleep 120; echo $count seconds have passed; done
120 seconds have passed
240 seconds have passed
^C
Likewise, we see the same behavior with ClientAliveMaxCount
set to 1:
[jblaine@testbed1~]$ sudo grep -i client /etc/ssh/sshd_config
ClientAliveCountMax 1
ClientAliveInterval 60
[jblaine@testbed1~]$ count=0; while :; do count=$(( count + 120 )); sleep 120; echo $count seconds have passed; done
120 seconds have passed
240 seconds have passed
^C
OpenSSH has zero functionality built into it to disconnect sessions that are functional but merely idle for a certain period of time. When sshd receives no response from a client after ClientAliveMaxCount * ClientAliveInterval
seconds, it means we are considering the client unresponsive network-wise and sshd will terminate connection. See client_alive_check()
in OpenSSH serverloop.c
How did this misunderstanding come about? The usual suspects: Echo chambers and people copying and pasting without testing. But I also blame the ClientAliveInterval
section of the man page for sshd
which uses the overloaded term “inactive” where it should use the word “unresponsive”. As such, I’ve created a pull request.