How can I use docker without sudo?

Question

user2149308

Asked: 2020-08-07 23:08:46 +0800 CST2020-08-07 23:08:46 +0800 CST 2020-08-07 23:08:46 +0800 CST

Set SSH idle timeout Ubuntu 20.04

772

I want incoming ssh-sessions to automatically disconnect upon inactivity for a security-critical server.

I've set the following settings

TCPKeepAlive no
ClientAliveInterval  30
ClientAliveCountMax 0

I would expect sshd not to send KeepAlive-Packages due to TCPKeepAlive and ClientAliveCountMax - and my sessions to timeout after 30 seconds. On top of that I think TCPKeepAlive could be left at its default which should be yes.

I've checked existing sessions like that:

root@<server>:/etc/apache2# w
 06:53:51 up 2 days, 21:25,  2 users,  load average: 0,00, 0,00, 0,00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
_____-ad pts/0    ____________      Do11    6.00s  0.99s  0.00s sshd: _____-admin [priv]
_____-us pts/1    ____________     06:40   13:26   0.02s  0.02s -bash

The sessions won't timeout...

I restarted sshd of course.

root@<server>:/etc/apache2# sshd -T | grep -i "ClientAlive"
clientaliveinterval 30
clientalivecountmax 0

Could the client still be sending KeepAlive-Packages? I cannot control all versions of clients that connect..

References: https://www.golinuxcloud.com/disconnect-idle-ssh-session-tcpkeepaliv-linux/ https://secscan.acron.pl/centos7/5/2/13

EDIT: TCPKeepAlive yes doesn't change the behaviour, sessions still linger. I also started a new session after I restarted sshd to avoid having old settings in my ssh-session.

EDIT2: Added keyword "incoming" to the description above to make it clearer, that I want my ssh server (sshd) to drop connections after an idle timeout, because users might forget about their open (and unsed) ssh sessions.

EDIT3: Just for information - used sshd version:

root@<server>:/etc/apache2# dpkg -l openssh-server
Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig Löschen/Halten
| Status=Nicht/Installiert/Config/U=Entpackt/halb konFiguriert/
         Halb installiert/Trigger erWartet/Trigger anhängig
|/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schlecht)
||/ Name           Version            Architektur  Beschreibung
+++-==============-==================-============-=================================================================
ii  openssh-server 1:8.2p1-4ubuntu0.1 amd64        secure shell (SSH) server, for secure access from remote machines
root@<server>:/etc/apache2# sshd -V
unknown option -- V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f  31 Mar 2020

Working as expected in

Debian 10 (OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d 10 Sep 2019)*
Ubuntu 16.04 (OpenSSH_7.2p2 Ubuntu-4ubuntu2.8, OpenSSL 1.0.2g 1 Mar 2016)

*For Debian 10 I wanted to compare sshd -T. Options that differ: casignaturealgorithms, gssapikexalgorithms, hostbasedacceptedkeytypes, hostkeyalgorithms, kexalgorithms, passwordauthentication, permitrootlogin, pubkeyacceptedkeytypes, pubkeyauthoptions, securitykeyprovider

I've only set passwordauthentication no

I've connected from the same host, the only difference is I used pubkey authentication for the server in question and password authentication for the Debian 10 server.

Sorry that it's getting long.. It kinda turns into a bug report..

On Debian 10:

ClientAliveInterval 10, ClientAliveCountMax 3: ssh -v records the message debug1: client_input_channel_req: channel 0 rtype [email protected] reply 1 every 10 seconds
ClientAliveInterval 10, ClientAliveCountMax 0: session disconnects after 10 seconds.

On Ubuntu 20.04:

ClientAliveInterval 10, ClientAliveCountMax 0: ssh -v records the message debug1: client_input_channel_req: channel 0 rtype [email protected] reply 1 every 10 seconds

1 Answers

Voted

Doug Smythies · Answer 1 · 2020-08-09T05:32:18+08:00

As of the more recent versions of openssh server, there is no way to configure an inactivity/idle timeout via /etc/ssh/sshd_config.

While one can find a great many references saying to set ClientAliveCountMax 0 in conjunction with ClientAliveInterval N to create an inactivity/idle timeout, evidently that was not an intended ability and has now been intentionally closed.

The relevant change to the sshd_config man pages for ClientAliveCountMax is this additional sentence: "Setting a zero ClientAliveCountMax disables connection termination."

Some have submitted bug reports against openssh, in particular this one and this one. Some particularly relevant excerpts:

ClientAliveCountMax=0 has never been specified to work as an idle timeout. If it did that then it was by accident and would be unreliable. E.g. if the client specified it's own ServerAliveTimeout or kept a forwarded TCP connection open then it would never fire.

and

If you need a idle timeout, then I suggest looking at shell features (e.g. bash's TMOUT) or something like a PAM module.

Set SSH idle timeout Ubuntu 20.04

How to install Google Chrome

Is there a command to list all users? Also to add, delete, modify users, in the terminal?

How to delete a non-empty directory in Terminal?

How to unzip a zip file from the Terminal?

How can I copy the contents of a folder to another folder in a different directory using terminal?

How do I install a .deb file via the command line?

How do I run .sh scripts?

How do I install a .tar.gz (or .tar.bz2) file?

How to list all installed packages

Unable to lock the administration directory (/var/lib/dpkg/) is another process using it?