How to prevent unattended SSH connections from remaining connected
Preventing idle SSH sessions from remaining connected is an easy way to add a bit more security to secure shell. Find out how.
If you’re a Linux admin, you know the value of Secure Shell. Without this tool, you’d be hard-pressed to get much remote administration done on your servers. In fact, you probably SSH into and out of machines all day. Or, you might SSH into a server and inadvertently leave that connection up throughout the day.
And that, my friends, is inviting trouble.
What if you leave that connection up and running and someone happens by your desk while you’re away. That someone could have a seat and have at your server. You do not want that. Or what if you have other users who secure shell into those servers, and you can’t look over their shoulders all day?
This is not something you should leave to chance.
Can you do anything about that? You certainly can. Secure Shell includes a timeout feature that allows you to configure the SSH server such that it will disconnect a user, after a set period of inactivity.
Let me show you how this is done.
SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)
What you’ll need
How to configure Secure Shell for timeouts on the server
Out of the box, the SSH daemon configuration doesn’t configure the necessary options for enabling inactive timeouts. That’s fine because we can easily add them. However, there are two types of configurations we want to take care of. The first is to prevent idle sessions from remaining connected on the server end.
To take care of this, open the configuration file on the server for editing with the command:
sudo nano /etc/ssh/sshd_config
Scroll to the bottom of that file and add the following three lines:
TCPKeepAlive yes ClientAliveInterval 30 ClientAliveCountMax 2
The default ClientAliveInterval is in seconds. You could also use:
However, the trick is in the ClientAliveCountMax option. That informs the SSH daemon how many times to count the timeout interval. So if you set ClientAlivecountMax to 2, it would count two times the ClientAliveInterval. If you set ClientAliveInterval to 5m and the ClientAliveCountMax to 2, the total timeout would be 10 minutes.
You could also set the options to:
ClientAliveInterval 10m ClientAliveCountMax 0
The above configuration would also timeout after 10 minutes of inactivity.
Once you’ve made your configurations, restart the SSH daemon with the command:
sudo systemctl restart sshd
The above configuration will take care of any idle sessions from the server end of things.
How to configure Secure Shell for client timeouts
Now we’re going to set the timeout on the client end. You don’t have to do this as the server setting should take care of idle timeouts. But, if you’re of the overly cautious persuasion, you might want to prevent any client from remaining connected to any remote server, via SSH. Unfortunately, this cannot be set globally on the server, but must be taken care of on the individual clients.
The configuration is handled in the .bashrc file. But instead of going through every user’s ~/.bashrc file, you can do this in the global file with the command:
sudo nano /etc/bash.bashrc
In that file scroll down to the bottom and add the following lines:
TMOUT=300 readonly TMOUT export TMOUT
The TMOUT option sets the amount of time (in seconds) that an idle connection will be allowed. A configuration of TMOUT=300 will break idle connections after five minutes.
How to test the configuration
Now that you’ve configured the timeout interval, open a new terminal window, connect to any of your remote Linux servers, via SSH, don’t do anything at the terminal. You should be kicked out of the session as soon as the allotted inactive time passes.
And that’s all there is to disconnecting SSH sessions after a period of inactivity. Do this to prevent anyone from being able to pull off various and sundry shenanigans after you (or anyone) has left their desks with an SSH connection up and running.