Timeout ssh sessions after inactivity?

Question

PCI-DSS 3.0 requirement 8.1.8 states: "If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session." Same was in PCI-DSS 2.0 requirement 8.5.15.

The first, and most obvious, way to deal with ssh sessions that are idling at the bash prompt is by enforcing a read-only, global $TMOUT of 900. Unfortunately, that only covers sessions sitting at the bash prompt. The spirit of the PCI spec would also require killing sessions running top/vim/etc.

I've considered writing a */1 cron job that parses the output of "/usr/bin/w" and kills the associated shell, but that seems like a blunt instrument. Any ideas for something that would actually do what the spec requires and just lock the terminal? I've looked at away and vlock; they both seem great for voluntarily locking your terminal, but I need a cron/daemon task that will enforce locking.

I'm really not trying to be pedantic, but I think you need to define 'idle' for us: idle = no user input? or idle = no output to user? The solutions required will be different. — pjz, Jul 07 '09 at 03:27

score 4 · Accepted Answer · answered Jul 06 '09 at 23:13

4

Could you put "exec screen -R" in .bash_profile and "idle 900 lockscreen" in .screenrc to solve this? That'd automatically reattach to their screen session if it's still there and create a new one if it isn't, but lock the screen if it's idle for 900 seconds.

I believe users could disable the idle, though...

Alternately: just plain "exec screen" and also "autodetach off" in .screenrc so that their sessions die if they get disconnected.

answered Jul 06 '09 at 23:13

freiheit

14,544
1
47
69

Interesting idea; I may end up with something like this. However I think I'd experience a rebel uprising if I forced everyone to start working inside screen. – Insyte Jul 07 '09 at 15:31
With autodetach off, they'd basically never notice. If you included something like 'defescape "^ "' (or at least to a more obscure control sequence than ^A) it'd be impossible or unlikely for them to actually treat screen like screen; they'd just see "screen" if they echo'd the TERM var, and even that you could change to vt100. – freiheit Jul 07 '09 at 17:21
Is there a way to disconnect the users session not lock the screen and also run a script when the user is put into the screen that prints some messages/warnings? – mRyan Jan 18 '23 at 17:04

score 4 · Answer 2 · edited Mar 16 '21 at 04:00

4

The following, added to your sshd config, will simply close the SSH connection after 15 minutes of inactivity:

ClientAliveInterval 900
ClientAliveCountMax 0

It is essential to include ClientAliveCountMax 0 to prevent the server from sending "client alive messages" to the SSH client.

edited Mar 16 '21 at 04:00

Community

1

answered Nov 21 '12 at 16:07

orokusaki

2,763
4
32
43

1

As freiheit already pointed out: This simply doesn't do what's wanted at all. The ClientAliveInterval causes the sshd server to (essentially) send a ping through the ssh channel to see if the client is still there. It's not useful for idling out the user. – kubanczyk Mar 20 '15 at 11:53
1

It worked for me. Did you test it? If so, did you restart the ssh daemon? Did you restart your SSH session after restarting the daemon? Note that `man sshd_config` indicates _This option applies to protocol version 2 only_ for both `ClientAliveCountMax` and `ClientAliveInterval` – cherdt Sep 19 '17 at 01:23

score 3 · Answer 3 · answered Jul 07 '09 at 02:37

Under BSD i'm using idled by Michael P. Crider

Quote from description

Idled is a daemon that runs on a machine to keep an eye on current users. If users have been idle for too long, or have been logged on for too long, or have logged in too many times, it will warn them and log them out appropriately.

I think you also can find it in linux repositories.

score 1 · Answer 4 · answered Sep 26 '11 at 13:45

1

The right answer here is

export TMOUT=900

in .bash_profile

(invoking screen isnt a direct way to deal with this problem)

http://linux.die.net/man/1/bash

answered Sep 26 '11 at 13:45

Arenstar

3,602
2
25
34

score 1 · Answer 5 · answered Jul 06 '09 at 22:51

1

Does sshd's IdleTimeout setting do what you want? I haven't test it with users using top, but it should work for vim or things which aren't sending data.

answered Jul 06 '09 at 22:51

Cian

5,838
1
28
40

1

+1 -- This is my thought, as well. Set "ClientAliveInterval 900" (15 min = 900s) and "ClientAliveCountMax 0" in /etc/ssh/sshd_config and restart sshd and that should do it. – Geoff Fritz Jul 06 '09 at 23:31
That timeout can be easily circumvented by a client application sending "keep-alive" packets though. – David Spillett Jul 06 '09 at 23:46
1

This simply doesn't do what's wanted at all. The ClientAliveInterval causes the sshd server to (essentially) send a ping through the ssh channel to see if the client is still there. It's not useful for idling out the user. – freiheit Jul 07 '09 at 17:13

Timeout ssh sessions after inactivity?

5 Answers5