SSH timeout logoff don't work!

[Conti Stefano]

Hello! In My Debian 11 SSH timeout logoff not work! I must put in .bashrc of my user: TMOUT=600 to loogut after 10 minutes. Work, of course, but close all bash terminal!

This is my sshd_config with info for timeout: 

TCPKeepAlive no

ClientAliveInterval 600

ClientAliveCountMax 0

 

Any suggest?

[didier gaumet]

Disclaimer: I am not knowledgeable in ssh/sshd matters

If I am not wrong, from what I understand from sshd_config manpage:
https://manpages.debian.org/bullseye/openssh-server/sshd_config.5.en.html
this behavior is what it is supposed to be:
DisconnectionDelay=ClientAliveInterval*ClientAliveCountMax
(times expressed in seconds)

ClientAliveCountMax set to 0 disables disconnection and is set by
default to 3.

For example, to have a 10mn disconnection delay, you could set:
- ClientAliveCountMax to 3 (default) and ClientAliveInterval to 200
- ClientAliveCountMax to 1 and ClientAliveInterval to 600
- ClientAliveCountMax to 10 and ClientAliveInterval to 60
...

[Greg Wooledge]

Those settings *are not* supposed to close an idle ssh session. Nothing
in ssh is supposed to close an idle session. There isn't any facility
to do that, because it's entirely contrary to the design of ssh.

Your TMOUT solution is the standard way to appease the managerial morons
who are asking this of you. It asks the shell to terminate if it's
sitting idle for however many seconds you specify. If the shell closes,
then the ssh session is free to close as well, assuming there are no
active tunneling connections, etc.

[Conti Stefano]

Excuse me but i sure you that i use this practice from many years and always work in the past. I've a other distro, an "old" Debian 9 and a Centos 7 with SSH version 7.4p1 and i'm sure work all well because i put  ClientAliveInterval 15 and after 15 seconds SSH session closed!  However thanks for your time of course!   

[Greg Wooledge]

On Tue, Jun 21, 2022 at 02:02:38PM +0200, Conti Stefano wrote:
> Excuse me but i sure you that i use this practice from many years and
> always work in the past. I've a other distro, an "old" Debian 9 and a
> Centos 7 with SSH version 7.4p1 and i'm sure work all well because i
> put  ClientAliveInterval 15 and after 15 seconds SSH session closed!

sshd_config(5) says:

ClientAliveInterval
Sets a timeout interval in seconds after which if no data has
been received from the client, sshd(8) will send a message
through the encrypted channel to request a response from the
client. The default is 0, indicating that these messages will
not be sent to the client.

Nothing here relates to *idle* sessions. If you scroll up to the previous
section:

ClientAliveCountMax
Sets the number of client alive messages which may be sent with‐
out sshd(8) receiving any messages back from the client. [...]

The default value is 3. If ClientAliveInterval is set to 15, and
ClientAliveCountMax is left at the default, unresponsive SSH
clients will be disconnected after approximately 45 seconds.
Setting a zero ClientAliveCountMax disables connection termina‐
tion.

This still doesn't relate to idle sessions. It's there to remove
*non-responsive* sessions -- ones where the client has crashed, or
where the network connection between the client and server has stopped
transmitting packets.

[Nicholas Geovanis]

On Tue, Jun 21, 2022 at 6:04 AM Greg Wooledge <gr...@wooledge.org> wrote:

On Tue, Jun 21, 2022 at 10:05:43AM +0200, Conti Stefano wrote:
> Hello! In My Debian 11 SSH timeout logoff not work! I must put in
> .bashrc of my user: TMOUT=600 to loogut after 10 minutes. Work, of
> course, but close all bash terminal!
>
> This is my sshd_config with info for timeout: 
>
> TCPKeepAlive no
> ClientAliveInterval 600
> ClientAliveCountMax 0

Those settings *are not* supposed to close an idle ssh session.  Nothing
in ssh is supposed to close an idle session.  There isn't any facility
to do that, because it's entirely contrary to the design of ssh.

Your TMOUT solution is the standard way to appease the managerial morons
who are asking this of you. 

Well, it's one of the standard ways. The other is to let the network admins do it instead.

[didier gaumet]

Le mardi 21 juin 2022 à 12:52 +0200, Conti Stefano a écrit :
> If I put ClientAliveCountMax 1 with ClientAliveInterval 600 timeout
> is 1200 inmy Debian 11. I have try all combinations but at the moment
> nothing happen; session stay alive! There is somethng but i don't
> understand what keep alive the session...

- just in case: do you restart sshd after modifying its setup?
- As Greg Wooledge as stated, use of these sshd parameters is to permit
closing of unresponsive or hung connections, not ordinary and
responsive connections
- if you want to restrict the time of ssh connection and are in
position to modify the ssh command they use (an alias in their bashrc
for example?), perhaps you can try to force the ssh -o option with the
ConnectTimeout parameter (see ssh manpage). I have never done it
myself, so I don't know if it can solve your problem.

[didier...@gmail.com]

Le mardi 21 juin 2022 à 23:40 +0200, didier gaumet a écrit :

[...]

> - if you want to restrict the time of ssh connection and are in
> position to modify the ssh command they use (an alias in their bashrc
> for example?), perhaps you can try to force the ssh -o option with
> the ConnectTimeout parameter (see ssh manpage). I have never done it
> myself, so I don't know if it can solve your problem.

Too quick to post: I just checked the ssh_config manpage and this
ConnectTimeout parameter is only relative to the time to establish the
connection, so no cigar.

[Loïc Grenié]

    Hi,

     Maybe

if [ "$(ps -o comm $PPID | tail -1)" = sshd ]; then TMOUT=600; fi

   This is not foolproof, but it should work if you do not abuse the system.

      Hope this helps,

         Loïc