sshd Timeout

I want to institute a timeout in sshd, so that if a user falls asleep in his
chair, or heads to the bar without logging off, his session will be killed
after 15 minutes of inactivity.

From what I can see by reading Google posts, the clientAliveInterval polls
the software, to see if the client is still active, i.e. the session is
still up and running. But it does not test activity, i.e. actual
keystrokes.

Is this true?

Is there a way to do what I want to do within sshd_config? I was also
reading that iptables can be used. Do I need to go this route?

I am using openssh-3.5p1-107 on SuSE 8.2.







ClientAliveInterval
Sets a timeout interval in seconds after which if no data has
been received from the client, sshd will send a message through
the encrypted channel to request a response from the client.
The
default is 0, indicating that these messages will not be sent
to
the client. This option applies to protocol version 2 only.

ClientAliveCountMax
Sets the number of client alive messages (see above) which may
be
sent without sshd receiving any messages back from the client.
If
this threshold is reached while client alive messages are being
sent, sshd will disconnect the client, terminating the session.
It is important to note that the use of client alive messages
is
very different from KeepAlive (below). The client alive
messages
are sent through the encrypted channel and therefore will not
be
spoofable. The TCP keepalive option enabled by KeepAlive is
spoofable. The client alive mechanism is valuable when the
client
or server depend on knowing when a connection has become inac*
tive.

The default value is 3. If ClientAliveInterval (above) is set
to
15, and ClientAliveCountMax is left at the default,
unresponsive
ssh clients will be disconnected after approximately 45
seconds.

"Buck Turgidson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) s.com...
> I want to institute a timeout in sshd, so that if a user falls asleep in
his
> chair, or heads to the bar without logging off, his session will be killed
> after 15 minutes of inactivity.
>
> From what I can see by reading Google posts, the clientAliveInterval polls
> the software, to see if the client is still active, i.e. the session is
> still up and running. But it does not test activity, i.e. actual
> keystrokes.
>
> Is this true?
>
> Is there a way to do what I want to do within sshd_config? I was also
> reading that iptables can be used. Do I need to go this route?
>
> I am using openssh-3.5p1-107 on SuSE 8.2.

This can be problematic because the client s/w has the capability of
performing KeepAlive if so configured. Unless you have complete control of
the configuration of the client(s) the server can be convinced that activity
is continuing.

JW

Buck Turgidson <(E-Mail Removed)> wrote:
> I want to institute a timeout in sshd, so that if a user falls asleep in his
> chair, or heads to the bar without logging off, his session will be killed
> after 15 minutes of inactivity.

> From what I can see by reading Google posts, the clientAliveInterval polls
> the software, to see if the client is still active, i.e. the session is
> still up and running. But it does not test activity, i.e. actual
> keystrokes.

> Is this true?

Yep, all you want has nothing to do with sshd.

man 1 bash
/TMOUT

--
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of SPAM

>
> Yep, all you want has nothing to do with sshd.
>
> man 1 bash
> /TMOUT
>
Looks like what I am looking for. But if I put this in /etc/profile.local,
could a savvy user override this parameter?

Buck Turgidson <(E-Mail Removed)> wrote:
> >
> > Yep, all you want has nothing to do with sshd.
> >
> > man 1 bash
> > /TMOUT
> >
> Looks like what I am looking for. But if I put this in /etc/profile.local,
> could a savvy user override this parameter?

Not if you set TMOUT readonly, look in the bash man page.

--
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of SPAM

> > Looks like what I am looking for. But if I put this in
/etc/profile.local,
> > could a savvy user override this parameter?
>
> Not if you set TMOUT readonly, look in the bash man page.
>


I learn something new every day. Thanks.