Web lists-archives.com

Re: OpenSSH not closing idle sessions.




On Mon, Apr 08, 2019 at 12:25:28PM -0500, timothylegg wrote:
> I need to have the session expire and the ssh client terminate after
> an idle time.

Most people want the exact opposite of that.

Basically, what you're asking for is directly hostile to any kind of
sane operation of a computer.

> ClientAliveInterval 5
> ClientAliveCountMax 1

Those settings are used for two purposes.  The first is to allow ssh or
sshd to terminate when the network connection has been lost.  The second
is to keep sending "I'm still here" messages through the network connection
so that a NAT gateway will not drop the session due to inactivity.

So, if you wanted to achieve the exact opposite of your stated goal
(assuming a NAT is involved somewhere along the way), you've succeeded.

I'm not aware of any "features" to cause ssh to terminate when idle, at
the ssh transport level.

If all you want to do is terminate the user's shell (and thus their
ssh connection, ultimately) when the user is sitting idle at the shell
prompt for too long, you could use the shell's TMOUT variable.

Of course, that won't disconnect the user's idle vim or mutt command.
That would result in data loss.

TMOUT only works when idling at a shell prompt, and it requires the user
to sign up for this "feature" by setting that variable (or neglecting
to unset it, if someone tries to set it in a global shell file like
/etc/profile).

Perhaps you could reframe your question in a way that makes sense in
a universe where the data loss from just arbitrarily killing users'
text editors and other stateful applications is a concern.  Start by
stating why you're trying to do this, who's making you do this, who's
going to handle the angry users, who's going to compensate them for
their data loss, etc.