Wednesday, June 24, 2009

HOWTO: Set the SSHD Idle Timeout

Here's something that I usually forget to change from the default and then get annoyed when my terminal hangs.
  1. As root open your sshd_config file in an editor.
    su -  
    vim /etc/ssh/sshd_config  
    

  2. Add the following lines.
     ClientAliveInterval 600  
     ClientAliveCountMax 3

  3. Restart the sshd process.
     service sshd restart
That's it. That will keep you logged in for 30 minutes at a time without activity. (600 seconds x 3)

8 comments:

  1. Thanks for this helpful post! I was having lots of trouble getting this to work for larger amounts of time (30-60 minutes) because I thought these were the settings for the actual timeout limit of the sshd sessions so I was setting the ClientAliveInterval to a very high value (3600 for an hour). BUT I didn't understand that this isn't changing the timeout limit -- those are set elsewhere (not sure where, but it doesn't matter) and seem to be 15 minutes on my Ubuntu Hardy system. What these ClientAlive___ settings do send a packet back and forth to the client every so often to keep the connection alive, so you must set the ClientAliveInterval to a number that is LOWER than whatever the built-in timeout is (so in my case, less than 900 [900 seconds=15 minutes]), then set the ClientAliveCountMax to the number of times you want that packet sent. So what worked for me to keep the session alive for an hour was to set both to 60 -- send the packet every 60 seconds, and do that 60 times. Phew!

    ReplyDelete
  2. Actually what i want to do is quite the opposite. I want to ignore keepalive and make sure users are logged out after 15 mins of idling. Only a handful of articles describing this problem and none of them seem to work.

    ReplyDelete
  3. If you want it to be 15 minutes change the values to 300 and 3. It's in seconds and repeated 3 times or whatnot.

    ReplyDelete
  4. @temotodochi, et al - Same here, I'm not interested in keeping the connection open (since that's not really a problem). I'm interested in logging the user out after 15 minutes of inactivity.

    ReplyDelete
    Replies
    1. Same here, looking for PCI DSS 8.5.15 compliance, forced logouts, which this does not do.

      Delete
  5. Same here - I've set these settings - and even without these setting the session stays open indefinitely.
    I can't find anything that works.

    ReplyDelete
  6. I found I had to set ClientAliveCountMax to zero. (Running on an old unsupported version of Ubuntu).

    ClientAliveInterval 60
    ClientAliveCountMax 0

    Now it will log my session off after 60 seconds of idle.


    ReplyDelete
    Replies
    1. Is that the same timeout setting for SSH connections too?

      Delete