Red Hat

How to Set Session Timeout in Red Hat

Posted on

As administrator we use ssh to manage our server, as day to day operation. As i am still in the middle of my work, and ssh session has given me timeout, it will push me to auto-logout when there is no activity. It really pissed me if i still have work to do, and my work is gone.

So, i need a way to set session timeout reasonably enough for me. Here some ways I usually do in my several server.

Set timeout environment variable globally

export TMOUT=<time in secs>

If you want this setting to work only for specific users, set it in  $HOME/.bashrc. If you want it applied to all users, set it in  /etc/bashrc.

When the set amount of time has elapsed, the following message is displayed:

timed out waiting for input: auto-logout

When the specific time is reached, the shell will exit. But, if the  shell has started child process of the shell, the child shell process  will exit first. If there is still no activity in the parent shell, the  parent shell will exist after the timeout.

Set SSH inactivity timeout

You also can set SSH inactivity timeout to your desired value.

There are two options related to ssh inactivity in /etc/ssh/sshd_config file:

ClientAliveIntervalClientAliveCountMax

So we can get the SSH timeout value by multiplying ClientAliveInterval with ClientAliveCountMax.

timeout interval = ClientAliveInterval * ClientAliveCountMax

From the man page of sshd_config, we can get the definitions of this options:

# man sshd_configClientAliveCountMaxSets the number of client alive messages (see below) which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive (below). The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable.  The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive. The default value is 3. If ClientAliveInterval (see below) is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. This option applies to protocol version 2 only.ClientAliveIntervalSets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. This option applies to protocol version 2 only.

There are two methods that we can use to configure the inactivity timeout. For example we want to configure an auto logout interval of 20 mins.

Method 1

1.Configure the timeout value in the /etc/ssh/sshd_config file with below parameter values.

# vi /etc/ssh/sshd_config

ClientAliveInterval 10m          # 10 minutes ClientAliveCountMax 2           # 2 times

2. Restart the ssh service after setting the values.

# service sshd restart or

# systemctl restart sshd

This would make the session timeout in 20 minutes as the ClientAliveCountMax value is multiplied by the ClientAliveInterval value.

Method 2

1. You also can set the ClientAliveCountMax value to 0 and ClientAliveInterval value to 20m to get the same thing.

# vi /etc/ssh/sshd_config

ClientAliveInterval 20m          # 20 minutesClientAliveCountMax 0            # 0 times

2. Restart the ssh service after setting the values.

# service sshd restart or

# systemctl restart sshd

The difference between method 1 and method 2

There’s a little difference between those two. For the first method, sshd will send messages, called Client Alive Messages, through the encrypted channel to request a response from client if client is inactive for 10 minutes. The sshd daemon will send these messages two times max. If this threshold is reached while Client Alive Messages are being sent, sshd will disconnect the client.

But for the second method, sshd will not send client alive messages and terminate the session directly if client is inactive for 20 minutes.

Resources:

Loading...

Leave a Reply

Your email address will not be published. Required fields are marked *