OpenSSH and Idle Timeouts

Darren Tucker dtucker at
Wed Apr 19 10:42:24 EST 2006

Eli K. Breen wrote:
> Theo et al.,
> I've looked back through the OpenSSH mailing lists and am stumped as to 
> why there is no IdleTimeout option for OpenSSH. (Normally the omission 
> of a feature as useful as this generates much debate and flame-quashing 
> from the dev. team).
> Is there some background to this that I'm missing?
> Here's the scenario, and I'm fully open to any workarounds.
> We use a combination of OpenBSD(3.7) and FreeBSD(5.x/6.0) machines as 
> various SSH access points to our network. Developers and users, being 
> only human, often end up leaving idle connections open for 
> days/weeks/months at a time. This is both unsightly (from the admin 
> perspective) and generally makes auditing and user activity 
> tracking/tracing much more difficult. In short, I'm looking for a way to 
> expire idle connections across both of these platforms while sticking 
> with OpenSSH because of its excellent security history and close ties to 
> the *BSDs.
> Are there any plans to add idle timeouts to OpenSSH in future? Does 
> anyone have any proven methods and/or patches for working around this 
> problem?

It depends on what you mean by "idle".

If you mean "hasn't exchanged any protocol traffic for a while and might 
actually be gone" then see ClientAliveInterval and ClientAliveCountMax 
in sshd_config.

If you mean "at the shell but haven't typed anything for a while" then 
there's no mechanism in sshd for that right now, and it's probably not 
something that sshd should be doing anyway; ssh connection != shell 
session (you can have zero, 1 or many shell sessions per ssh 
connection).  There a couple of other options: shell timeout options (as 
others have pointed out) or there's an "idle daemon" that does this for 
all login types (the details escape me at the moment).

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list