Web lists-archives.com

OpenSSH not closing idle sessions.




Debian 9 - Installed yesterday on two 64-bit VMs

In /etc/ssh/ssh_config there are two parameters, of which I am citing
sshd_config(5) man page:

ClientAliveInterval  - Sets a timeout interval in seconds after which
if no data has been received from the client, sshd(8) will send a
message through the encrypted channel to request a response from the
client. The default is 0, indicating that these messages will not be
sent to the client. This option applies to protocol version 2 only.

ClientAliveCountMax  - Sets the number of client alive messages (see
below) which may be sent without sshd(8) receiving any messages back
from the client. If this threshold is reached while client alive
messages are being sent, sshd will disconnect the client, terminating
the session.

I need to have the session expire and the ssh client terminate after
an idle time.  For testing purposes, I assigned these to unreasonably
small values and restarted the daemon with /etc/init.d/ssh restart:

ClientAliveInterval 5
ClientAliveCountMax 1

The server is not using protocol version 1, so protocol version 2 is
used and thus ClientAliveInterval should be obeyed.  I suspected that
maybe default settings of the SSH client may be keeping the session
alive by delivering scheduled null packets, so I assigned -o
ServerAliveInterval 30, a larger value to ensure that such packets
aren't delivered in time.

But the change doesn't seem to stick, not even after rebooting the machine.

mary@mary:/etc/ssh$ w
12:06:03 up 19 min,  3 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
mary     tty1     -                11:47    1:38   0.20s  0.15s -bash
mary     pts/0    192.168.1.7      12:02    0.00s  0.05s  0.00s w
mary     pts/1    192.168.1.19     12:05   1:41  0.04s  0.04s -bash

As I write this, the session is idle 5 minutes and just won't hang up.
Ironically, it appears most people have the opposite problem of SSH
being sporadically closed, and that has really polluted my search
results in trying to resolve this.

Ideas?