OpenSSH sshd_config

Correct configuration keywords since OpenSSH 9.2 (Debian 12)

The OpenSSH 9.2 (Feb 2, 2023) introduced new features for inactive sessions.

• sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels.

• sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above.

For the eight hours in this question, e.g.,

ChannelTimeout *=8h
UnusedConnectionTimeout 1m

Where:

• The *=8h monitors all channels separately. If you want activity on any channel to reset the timeout, use the special keyword global=8h.
• The UnusedConnectionTimeout is set to one minute in order to terminate the connection shortly after the last channel has been closed.

For OpenSSH < 9.2 that has to be done by other means.

The used configuration keywords are for unresponsive sessions

The ClientAliveInterval does not monitor for inactivity but whether the client is still responsive.

Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client.

The documentation for ClientAliveCountMax may help in understanding this:

If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. Setting a zero ClientAliveCountMax disables connection termination.

📜 A historical note: Before OpenSSH 8.2 (Feb 14, 2020) the ClientAliveCountMax worked differently with 0, having the side effect that it could have been used for terminating idle connections. From the changelog:

Bugfixes

• sshd(8): make ClientAliveCountMax=0 have sensible semantics: it will now disable connection killing entirely rather than the current behaviour of instantly killing the connection after the first liveness test regardless of success. bz2627

⚠️ Yet, this misleading instruction has been repeated all over the Internet:

• Geeks for Geeks: Disconnecting Inactive SSH Connections in Linux
• Vivek Gite on nixCraft: Linux / UNIX Automatically Logout BASH / TCSH / SSH Users After a Period of Inactivity
• Hayden James on Linuxblog.io: How to Kill Inactive SSH Sessions
• KGIII on Linux Tips: Disable Inactive SSH Sessions
• Aaron Kili on Techmint: How to Disconnect Inactive or Idle SSH Connections in Linux
• Satish Kumar on Tutorials Point: How to Disconnect Inactive or Idle SSH Connections in Linux?

Of these, only Gite had the ClientAliveCountMax=0 that could have worked before 2020, but does this count? After all, the article was likely written in 2021... Makes me wonder does anyone read the documentation or are they busy copy-pasting other's blog posts. 🤦‍♂️

In-depth discussion on alternatives

Scripting – be careful you detect inactivity correctly

Hayden James gives an example for Automating the Process with a script. However, using that script is dangerous as it could kill SSH sessions that are in active use. The script gets the "idle time" from ps -eo pid,etimes,comm where the etimes does not show the idle time of the process but the total time it has been running. From ps(1):

STANDARD FORMAT SPECIFIERS

CODE	HEADER	DESCRIPTION
etimes	ELAPSED	elapsed time since the process was started, in seconds.

Satish Kumar suggests using who for list of active users and the fifth column of w -h for detecting inactivity. However, this script also has some flaws:

• The fifth column does not contain the seconds as an integer, but a string value like 2.00s, 7:51m or 5days. The [[ "$idle" -gt "1800" ]]; does not parse that correctly.
• If the comparison was possible, the script would kill all processes of the user...
  • ...in case the users has not typed anything in any of the sessions.
  • ...including terminal multiplexers (screen, tmux) and other processes that are intended to live outside an active SSH session.

The detection of the inactivity should be way more precise, as well as the selection of the process to be killed.

This approach could work:

1. Take the sessions directly from the second column of who.
2. Use stat to get the last access time of the TTY device (see answer from Celada).

   who -s | awk '{ print $2 }' | (cd /dev && xargs stat -c '%n %U %X')
   

   That can be directly converted to age in seconds:

   who -s | awk '{ print $2 }' | (cd /dev && xargs stat -c '%n %U %X') \
     | awk '{ print $1"\t"$2"\t"'"$(date +%s)"'-$3 }'
   

3. Use pgrep to find sshd processes for the TTYs, or pkill to kill them.

   user=$(echo "$line" | awk '{print $1}')
   tty=$(echo "$line" | awk '{print $2}')
   age=$(echo "$line" | awk '{print $3}')
   pgrep -f "sshd: ${user}@${tty}"
   

All put together (more complete find-inactive-ssh-sessions.sh in oh2fih/Misc-Scripts):

#!/bin/bash
MAX_IDLE=28800  # default 8 hours
KILL=0          # set 1 to kill instead of list

# Get TTYs with the seconds since the last access time
TTYS=$(
  who -s \
    | awk '{ print $2 }' \
    | grep -ve "^:"
  )
if [ "$TTYS" = "" ]; then
  exit 0
fi

TTY_AGES=$(
  echo "$TTYS" \
    | (cd /dev && xargs stat -c '%U %n %X') \
    | awk '{ print $1"\t"$2"\t"'"$(date +%s)"'-$3 }'
  )

# Get sshd processes of the TTYs; list or kill
while IFS= read -r line ; do 
  user=$(echo $line | awk '{print $1'})
  tty=$(echo $line | awk '{print $2'})
  age=$(echo $line | awk '{print $3'})
  if (( $age > $MAX_IDLE )); then
    if (( KILL == 1 )); then
      pkill -f "sshd: ${user}@${tty}"
    else
      pgrep -f -a "sshd: ${user}@${tty}"
    fi
  fi
done <<< "$TTY_AGES"

Built-in features in shells

As Vivek Gite mentions, shells have features for automatically logging the user out after a period of inactivity. These might work if there is no need to enforce the logout, as the user is able to change these settings.

• TMOUT environment variable for bash, zsh & ksh.

  export TMOUT=28800
  

• autologout setting in tcsh & csh.

  set -r autologout 28800
  

If you configure these through, e.g., /etc/profile.d/, they affect all sessions. However, you could use features in sshd_config to configure them, too: SetEnv & ForceCommand. E.g.,

SetEnv TMOUT=28800

Match Group cshusers
    ForceCommand set -r autologout 28800

Where does the recommendation come from?

The advice is likely based on, e.g., NIST 800-171 Revision 2:

3.1.11 Terminate (automatically) a user session after a defined condition.

DISCUSSION

This requirement addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., disconnecting from the network). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on system use.

You should decide which one is more important for you: preventing someone from using the connection without permission or the reliability of management connections. Could the unauthorized use be prevented by other means? E.g., could the SSH connections be limited only to company computers, and could the company computers be forced to be locked on inactivity?