49

I can't seem to find an answer to this simple question, which I need for some compliance documentation.

On a default install of CentOS 6.5 (OpenSSH 5.3p1-94.el6), after how long of being idle will a user's SSH session be terminated? I believe the following can be set to increase the idle timeout, but they are commented out by default.

$ grep -i alive /etc/ssh/sshd_config
#TCPKeepAlive yes
#ClientAliveInterval 0
#ClientAliveCountMax 3

Also, is there a command to dump a list of the current sshd settings? I don't see anything in man sshd.

Improve this question
1
  • 3
    Some shells can be set to exit after a timeout. That would cause the ssh session to terminate. Check whether your TMOUT environment variable is set. Commented Aug 20, 2014 at 18:38

7 Answers 7

Reset to default
33

The commented lines in sshd_config usually display the defaults. This is the case with all of the lines in your question. You can verify this in the sshd_config manpage. Here are the relevant snippets:

TCPKeepAlive

      Specifies whether the system should send TCP keepalive messages to the other side.  If they are sent, death of the connection or crash of one of the machines will be properly noticed.  However, this means that connections will die if the route is down temporarily, and some people find it annoying.  On the other hand, if TCP keepalives are not sent, sessions may hang indefinitely on the server, leaving “ghost” users and consuming server resources.

      The default is “yes” (to send TCP keepalive messages), and the server will notice if the network goes down or the client host crashes.  This avoids infinitely hanging sessions.

      To disable TCP keepalive messages, the value should be set to “no”.

      This option was formerly called KeepAlive.

ClientAliveCountMax

      Sets the number of client alive messages (see below) which may be sent without sshd(8) receiving any messages back from the client.  If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session.  It is important to note that the use of client alive messages is very different from TCPKeepAlive (below) (above).  The client alive messages are sent through the encrypted channel and therefore will not be spoofable.  The TCP keepalive option enabled by TCPKeepAlive is spoofable.  The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive.

      The default value is 3.  If ClientAliveInterval (see below) is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds.  This option applies to protocol version 2 only.

ClientAliveInterval

      Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client.  The default is 0, indicating that these messages will not be sent to the client.  This option applies to protocol version 2 only.

Improve this answer
5
  • 1
    Correct me if wrong, but if there was no firewall in between me and the machine (w/ default configs), then I'd never be disconnected? I know our firewall drops idle TCP connections after 60 minutes, so that's where the closing idle connections is happening. I just wanted to check and see if OpenSSH itself explicitly closes sessions. I think the answer is No, openssh does not explicitly close idle connections, but firewalls typically do. The settings mentioned in your answer actually help to persist the connection or to properly terminate the session if it sees it's been dropped. Commented Aug 15, 2014 at 15:31
  • 5
    The quoted text says that the default for ClientAliveInterval is 0, which means that it doesn't define a time interval for which a connection stays open. And yet we know that the time interval has some finite value by default. Therefore it seems that there must be some other parameter that sets how long the connection stays open by default. If my analysis above is correct, then suppose both server and client are linux machines running openssh, and both are using all the defaults. In this case which side sets the default, what is its value, and where is it set? Commented Apr 8, 2015 at 20:09
  • 4
    @BenCrowell And yet we know that the time interval has some finite value by default. What time interval and how do you know this? Commented Nov 13, 2017 at 8:21
  • 2
    @PiotrDobrogost: just connect to any machine with default settings and no firewalls, let it idle, and it will eventually drop by inactivity. I've never measured how long it takes, but I've seen such idle disconnection occurs. Commented Aug 15, 2020 at 2:32
  • 1
    Nothing in this answer seems to indicate that SSH would terminate due to idleness. Commented Dec 14, 2022 at 16:04
22

OpenSSH will not terminate a shell session that has been idle for some time. This is not something that OpenSSH does. Terminating an idle shell session is unrelated to the configuration of OpenSSH.

The settings that you are showing are related to timeouts when the connection goes down and are unrelated to the shell on the remote host and what the user is doing or not doing there.

The remote host's shell may terminate (or may get killed by some other process) after some time of idleness, but this is unrelated to the configuration of the SSH service on the server and of your SSH client.

Related:

To dump the sshd configuration, use the "extended test mode" as root:

sshd -T

This is documented in the sshd(8) manual (looking at OpenSSH_7.7, LibreSSL 2.7.2 on OpenBSD here):

-T

Extended test mode. Check the validity of the configuration file, output the effective configuration to stdout and then exit. Optionally, Match rules may be applied by specifying the connection parameters using one or more -C options.

This option was added to sshd for OpenSSH 5.1/5.1p1 in 2008.

Improve this answer
0
16

You can set up SSH keepalive for either the client or server side:

Client side

File: /etc/ssh/ssh_config

Content:

Host *
ServerAliveInterval XX
ServerAliveCountMax YY

Server side

File: /etc/ssh/sshd_config

Content:

ClientAliveInterval XX
ClientAliveCountMax YY

Extracted from: http://www.sysadmit.com/2016/02/linux-y-vmware-ssh-evitar-desconexion.html

Improve this answer
2
  • 15
    Useful, but doesn't answer the question in any way. Commented Aug 18, 2016 at 9:44
  • 2
    @bzeaman: To be fair, none of the proposals here answer the question: "What is the default idle timeout for OpenSSH?" Commented Oct 7, 2020 at 3:15
6

If the requirement is to close the SSH connection after a period of inactivity, the shells themselves provide timeout variables.

For bash:

TMOUT: If set to a value greater than zero, TMOUT is treated as the default timeout for the read builtin. The select command terminates if input does not arrive after TMOUT seconds when input is coming from a terminal. In an interactive shell, the value is interpreted as the number of seconds to wait for input after issuing the primary prompt. Bash terminates after waiting for that number of seconds if input does not arrive.

test this by running TMOUT=10 and wait for 10 sec to close the connection.

For tcsh:

The autologout shell variable can be set to log out or lock the shell after a given number of minutes of inactivity.

In tcsh, the syntax for setting the timeout for ten minutes is set autologout=10. This doesn't work in the original csh.

Improve this answer
6

SSH no longer has an idle timeout, but you can likely use the shell TMOUT variable instead. Mark it readonly to prevent tampering.

SSH does have keep-alive settings, on both the client and server, but they’re not idle timeouts. They can be used to automatically detect and close non-responsive connections. And they can also do the opposite of an idle timeout: send fake traffic back and forth at regular intervals so that firewalls don’t expire idle connections.

In older versions of SSH, if ClientAliveCountMax=0, that would end the SSH session after ClientAliveInterval seconds of inactivity, but that wasn’t documented or intentional on the part of OpenSSH developers.

# Will time out idle sessions, but only if OpenSSH version < 8.2, e.g., CentOS 7
ClientAliveInterval 60
ClientAliveCountMax 0

This was viewed as a bug in sshd, and removed in OpenSSH 8.2. Now ClientAliveCountMax=0 means to disable the client-alive stuff, not expire idle sessions. See the bug report.

Improve this answer
-1

If you want the timeout to be 10 seconds for everyone, do the following for the server config (sshd_config):

ClientAliveInterval 10
ClientAliveCountMax 0

If you want the timeout to be 10 seconds for local clients, do the following for the client config (ssh_config):

ServerAliveInterval 10
ServerAliveCountMax 0

If the AliveCountMax parameter is non-zero, it probably won't work because the server will reply resetting the timer (unless there's a connection problem). You can see this by running the ssh client with debugging turned on.

Improve this answer
2
  • 1
    doesn't answer the actual question Commented Feb 23, 2021 at 19:48
  • It gets close enough for me, but note @andrew says, with a compelling citation, that the AliveCountMax == 0 behavior was deemed a bug Commented Aug 13, 2021 at 18:50
-1

you can increase the session time when making a connection like:

ssh -o ServerAliveInterval=60 -i Firstme.pem [email protected]

-o ServerAliveInterval=60 here you can define your time in minutes, 60, 120,...

Improve this answer
1
  • 1
    that's actually minutes. And anyway, it doesn't answer the actual question at all Commented Feb 23, 2021 at 19:47

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.