3

For security reasons, I need to limit the maximum duration of an ssh session to 2 hours, even if it is active the entire time (not idle).

I see sshd_config allows setting session idle time with the ClientAliveInterval and ClientAliveCountMax properties. This is not my interest.

Is there another setting I can configure to control the maximum active time of a session? The ssh daemon is running on Amazon Linux 2, which is similar to centos.

Mark Sawers
  • 59

2 Answers2

2

There isn't an sshd_config option for terminating active sessions after a period of time. The customary way of doing this is to run a task on the server that notices an ssh session has lasted too long and kill the processes.

Beware that this can backfire when a developer has logged into the server to run an important command such as performing a database schema change (often called a "migration") that takes a long time to run and should not be interrupted in the middle. CI/CD systems will often run db migration commands as part of application deploys, so it's not just interactive users running ad-hoc commands that can happen.

Because of this, the task (if you write your own) will likely need to include a whitelist of logins that won't have their sessions killed. Or a list of logins that have a maximum time allowance that's different (longer) than the two-hour default.

Sotto Voce
  • 4,131
0

Hmm, doing it THROUGH SSH would be prohibitively difficult. I think the easiest way would be to have a background program start running every time you have an ssh login to a specific account, which, after 10 minutes, kills all the ssh connections. Honestly it would be very easy. You'd add something to ~/.profile or ~/.bashrc that says something like

sleep 600
killall --user {whateverhis/herusernameis}
end

Use ForceCommand in sshd_config. It is ensured it will be executed after login.

Is it possible to set a time limit on an active ssh connection for a specific linux user?

Match User ctfuser

ForceCommand "(sleep 600; killall -u ctfuser)& bash"

Or ForceCommand to start a custom script

You can do so by adding the following parameter to your config file (/etc/ssh/sshd_config).

Run scripts automatically in server after ssh connection

one idea is that the timer restarts with every action from the user or that the user receives a console message every 10 minutes or the last 5 minutes that the session is about to be closed

How to prevent ssh user to login if same user is still logged in?

How to prevent multiple connections in SSH?

How can I disconnect ssh users, or limit the number of ssh logins?

Z0OM
  • 3,149
  • 1
    Note that if a user logs in at 10am and then again at 11am. both sessions will be killed at noon. And, since the process is running under the user's account, he can kill it at any time. – doneal24 Mar 20 '23 at 18:45
  • You can check on the server side if a user is allready loged in and than terminate current session or what else. – Z0OM Mar 20 '23 at 18:50
  • there are a view solutions what you can do. you have to write your own custom solution and than handle all pros and cons that fit to your needs – Z0OM Mar 20 '23 at 18:53
  • killall as a shell script backgrounded works inside the user's profile but that allows the user to edit. I couldn't get ForceCommand to work. It runs the command and then exits. Tried a simple echo hello in the foreground and background. Seems a root-level background process is more secure but would need a bit more logic. – Mark Sawers Apr 27 '23 at 18:05