Issue with SSH Client Alive Interval in sshd_config

Question

We are currently using SSH for our project, and we need to implement a feature where SSH users are logged off after 1 minute of inactivity. Below are excerpts from our ssh_config and sshd_config files:

ssh_config


# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
Configuration data is parsed as follows:
1. command line options
2. user-specific file
3. system-wide file
Any configuration value is only changed the first time it is set.
Thus, host-specific definitions should be at the beginning of the
configuration file, and defaults at the end.
Site-wide defaults for some commonly used options.  For a comprehensive
list of available options, their meanings and defaults, please see the
ssh_config(5) man page.
Host *
  ForwardAgent yes
  ForwardX11 yes
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
HostbasedAuthentication no
GSSAPIAuthentication no
GSSAPIDelegateCredentials no
BatchMode no
CheckHostIP yes
AddressFamily any
ConnectTimeout 0
StrictHostKeyChecking ask
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa
IdentityFile ~/.ssh/id_ecdsa
IdentityFile ~/.ssh/id_ed25519
Port 22
Protocol 2
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
MACs hmac-md5,hmac-sha1,umac-64@openssh.com
EscapeChar ~
Tunnel no
TunnelDevice any:any
PermitLocalCommand no
VisualHostKey no
ProxyCommand ssh -q -W %h:%p gateway.example.com
RekeyLimit 1G 1h
StrictHostKeyChecking no
UserKnownHostsFile /dev/null

sshd_conf


# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
The strategy used for options in the default sshd_config shipped with
OpenSSH is to specify options with their default value where
possible, but leave them commented.  Uncommented options override the
default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
Ciphers and keying
#RekeyLimit default none
Logging
#SyslogFacility AUTH
#LogLevel INFO
Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
Change to yes if you don't trust ~/.ssh/known_hosts for
HostbasedAuthentication
#IgnoreUserKnownHosts no
Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no
Change to yes to enable challenge-response passwords (beware issues with
some PAM modules and threads)
ChallengeResponseAuthentication no
Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
Set this to 'yes' to enable PAM authentication, account processing,
and session processing. If this is enabled, PAM authentication will
be allowed through the ChallengeResponseAuthentication and
PasswordAuthentication.  Depending on your PAM configuration,
PAM authentication via ChallengeResponseAuthentication may bypass
the setting of "PermitRootLogin without-password".
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set PasswordAuthentication
and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
Compression no
ClientAliveInterval 15
ClientAliveCountMax 4
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
no default banner path
#Banner none
override default of no subsystems
Subsystem       sftp    /usr/libexec/sftp-server
Example of overriding settings on a per-user basis
#Match User anoncvs
X11Forwarding no
AllowTcpForwarding no
PermitTTY no
ForceCommand cvs server

sshd_config_readonly


# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
The strategy used for options in the default sshd_config shipped with
OpenSSH is to specify options with their default value where
possible, but leave them commented.  Uncommented options override the
default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
Ciphers and keying
#RekeyLimit default none
Logging
#SyslogFacility AUTH
#LogLevel INFO
Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
Change to yes if you don't trust ~/.ssh/known_hosts for
HostbasedAuthentication
#IgnoreUserKnownHosts no
Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no
Change to yes to enable challenge-response passwords (beware issues with
some PAM modules and threads)
ChallengeResponseAuthentication no
Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
Set this to 'yes' to enable PAM authentication, account processing,
and session processing. If this is enabled, PAM authentication will
be allowed through the ChallengeResponseAuthentication and
PasswordAuthentication.  Depending on your PAM configuration,
PAM authentication via ChallengeResponseAuthentication may bypass
the setting of "PermitRootLogin without-password".
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set PasswordAuthentication
and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
Compression no
ClientAliveInterval 1m
ClientAliveCountMax 0
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
no default banner path
#Banner none
override default of no subsystems
Subsystem       sftp    /usr/libexec/sftp-server
Example of overriding settings on a per-user basis
#Match User anoncvs
X11Forwarding no
AllowTcpForwarding no
PermitTTY no
ForceCommand cvs server
HostKey /var/run/ssh/ssh_host_rsa_key
HostKey /var/run/ssh/ssh_host_ecdsa_key
HostKey /var/run/ssh/ssh_host_ed25519_key

Below are the things i have changed in sshd_config file

ClientAliveInterval 1m
ClientAliveCountMax 0

After setting ClientAliveInterval to 1 minute and ClientAliveCountMax to 0, we expected users to be logged off after 1 minute of inactivity. However, we are facing an issue where users are unable to log off.

Here is the output for sshd -T && echo OK

addressfamily any
listenaddress [::]:22
listenaddress 0.0.0.0:22
usepam yes
logingracetime 120
x11displayoffset 10
maxauthtries 6
maxsessions 10
clientaliveinterval 0
clientalivecountmax 3
streamlocalbindmask 0177
permitrootlogin yes
ignorerhosts yes
ignoreuserknownhosts no
hostbasedauthentication no
hostbasedusesnamefrompacketonly no
pubkeyauthentication yes
passwordauthentication yes
kbdinteractiveauthentication no
challengeresponseauthentication no
printmotd yes
printlastlog yes
x11forwarding no
x11uselocalhost yes
permittty yes
permituserrc yes
strictmodes yes
tcpkeepalive yes
permitemptypasswords no
compression no
gatewayports no
usedns no
allowtcpforwarding yes
allowagentforwarding yes
disableforwarding no
allowstreamlocalforwarding yes
streamlocalbindunlink no
fingerprinthash SHA256
exposeauthinfo no
pidfile /var/run/sshd.pid
xauthlocation /usr/bin/xauth
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
banner none
forcecommand none
chrootdirectory none
trustedusercakeys none
revokedkeys none
securitykeyprovider internal
authorizedprincipalsfile none
versionaddendum none
authorizedkeyscommand none
authorizedkeyscommanduser none
authorizedprincipalscommand none
authorizedprincipalscommanduser none
hostkeyagent none
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256
hostbasedacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
hostkeyalgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
pubkeyacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
rdomain none
loglevel VERBOSE
syslogfacility AUTH
authorizedkeysfile .ssh/authorized_keys
hostkey /etc/ssh/ssh_host_rsa_key
hostkey /etc/ssh/ssh_host_ecdsa_key
hostkey /etc/ssh/ssh_host_ed25519_key
setenv TMOUT=60
authenticationmethods any
subsystem sftp /usr/libexec/sftp-server
maxstartups 10:30:100
permittunnel no
ipqos af21 cs1
rekeylimit 0 0
permitopen any
permitlisten any
permituserenvironment no
pubkeyauthoptions none
OK

Any insights or suggestions on what might be causing this problem would be greatly appreciated.

Thank you!

As Kamil pointed out in his answer (why the downvotes, btw?) that's not what those values are there for. You may want to look at BASH's TMOUT and set that globally from one of bash's /etc files ... — tink, Jan 22 '24 at 17:16
Does the inverse of How to keep idle session from exiting answer your question? — Chris Davies, Jan 22 '24 at 19:40

Kamil Maciorowski · Answer 1 · 2024-01-22T16:43:17.743

ClientAlive* are not designed to terminate healthy connections. It's a myth they are. Please read this other answer of mine to learn what the options are really for. In a nutshell, they are for:

allowing the SSH server to detect when a client silently disappears from the network;
renewing a healthy connection that is otherwise idle, so network nodes between the server and the client do not discard it because of the idleness.

The options you need are ChannelTimeout and UnusedConnectionTimeout. They are designed to detect inactivity (as opposed to disappearance of the client detected by ClientAlive*).

ChannelTimeout
Specifies whether and how quickly sshd(8) should close inactive channels. Timeouts are specified as one or more type=interval pairs separated by whitespace, where the type must be the special keyword global or a channel type name from the list below, optionally containing wildcard characters.

^(source)

UnusedConnectionTimeout
Specifies whether and how quickly sshd(8) should close client connections with no open channels. […]

Note that this timeout starts when the client connection completes user authentication but before the client has an opportunity to open any channels. Caution should be used when using short timeout values, as they may not provide sufficient time for the client to request and open its channels before terminating the connection.

^(source)

This is an example setup (in /etc/ssh/sshd_config):

ChannelTimeout *=1m
UnusedConnectionTimeout 1m

Notes:

ChannelTimeout *=1m is not equivalent to ChannelTimeout global=1m.
The client may easily generate artificial activity (e.g. in an interactive shell session the user can run watch date or so).
If the server terminates the last channel due to ChannelTimeout, usually the client will terminate the whole connection by itself, so UnusedConnectionTimeout is not that relevant. Some options of the client (e.g. ControlPersist) may cause the client to want to keep the connection even without channels and then UnusedConnectionTimeout will be relevant.
The packets generated by ClientAlive* do not belong to any channel, so they will not reset the timeouts. This means you can use ChannelTimeout+UnusedConnectionTimeout for what you want to do and simultaneously you can use ClientAlive* for what it was designed for. (Note that setting ClientAliveCountMax to zero (like you did) disables the functionality.)
ChannelTimeout and UnusedConnectionTimeout are relatively new inventions (OpenSSH 9.2, 2023-02-02). Online resources that predate these options try to achieve similar results with other means, some of them use ClientAlive* and spread the myth.
In general you may also find StopIdleSessionSec= in /etc/systemd/logind.conf useful. It's not specific to SSH, it's specific to the systemd login manager. See man 5 logind.conf.

Thanks for the quick reply , but when we include ChannelTimeout *=1m UnusedConnectionTimeout 1m The ssh simply refuses our connection by giving ssh_exchange_identification: Connection closed by remote host — karkator, Jan 23 '24 at 09:09
@karkator On the server, does sudo sshd -T && echo OK print OK at the end? If not, what exactly does it print? — Kamil Maciorowski, Jan 23 '24 at 10:57
if i give ssh -v on linux to establish a ssh connection on the host i am getting debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10 ssh_exchange_identification: read: Connection reset by peer and output for sshd -T && echo OK is /etc/ssh/sshd_config: line 119: Bad configuration option: ChannelTimeout /etc/ssh/sshd_config: line 120: Bad configuration option: UnusedConnectionTimeout /etc/ssh/sshd_config: terminating, 2 bad configuration options — karkator, Jan 24 '24 at 01:45
I have also given output for sshd -T && echo OK in the question , please review it ! — karkator, Jan 24 '24 at 02:07
@karkator Sigh… You are using OpenSSH_7.2p2. My answer clearly states the relevant options are "relatively new inventions (OpenSSH 9.2, 2023-02-02)". You need 9.2 or later, you have 7.2. Your sshd does not know these options at all. This is why you got Bad configuration option for each. — Kamil Maciorowski, Jan 24 '24 at 05:00
@karkator Maybe StopIdleSessionSec= in /etc/systemd/logind.conf (already mentioned). For now I cannot think of anything else that wouldn't be a foggy idea of an unreliable contraption built with questionable hacks. I will think about it but I cannot promise anything. Anyway, ClientAlive* you asked about are not for this, regardless of the version of sshd. — Kamil Maciorowski, Jan 24 '24 at 06:59

zwets · Answer 2 · 2024-01-23T21:46:58.080

0

Assuming your users have bash shells, add to your sshd_config:

SetEnv TMOUT=60

This will terminate interactive shells after one minute of inactivity at the prompt.

It's just an environment variable, so users can adjust their own timeout value. One minute is pretty harsh though, certainly with password logins. Of course,

sleep 300

works great to find your terminal still alive after going for a coffee, but is unworkable for many common use cases, such as users working in multiple screens.

Unless you're expecting seriously many concurrent idle users (and why?) I'd think about usability first. Is the 1mn logout really needed and not intended to pester users?

edited Jan 23 '24 at 21:46

answered Jan 23 '24 at 01:04

zwets

296

Hi @zwets my default shell is /bin/sh , we have tried SetEnv TMOUT=60 but it does not work , I have edited my question again by giving output of sshd -T && echo OK please review it. – karkator Jan 24 '24 at 02:00
@karkator the TMOUT variable is a feature of bash, and not present in e.g. dash. You can set a user's shell with the chsh ccommand. chsh -s /bin/bash would do this for your own account. – zwets Jan 24 '24 at 09:23