OpenSSH and Idle Timeouts

Darren Tucker dtucker at zip.com.au
Wed Apr 19 10:42:24 EST 2006 

Eli K. Breen wrote:
> Theo et al.,
> 
> I've looked back through the OpenSSH mailing lists and am stumped as to 
> why there is no IdleTimeout option for OpenSSH. (Normally the omission 
> of a feature as useful as this generates much debate and flame-quashing 
> from the dev. team).
> 
> Is there some background to this that I'm missing?
> 
> Here's the scenario, and I'm fully open to any workarounds.
> 
> We use a combination of OpenBSD(3.7) and FreeBSD(5.x/6.0) machines as 
> various SSH access points to our network. Developers and users, being 
> only human, often end up leaving idle connections open for 
> days/weeks/months at a time. This is both unsightly (from the admin 
> perspective) and generally makes auditing and user activity 
> tracking/tracing much more difficult. In short, I'm looking for a way to 
> expire idle connections across both of these platforms while sticking 
> with OpenSSH because of its excellent security history and close ties to 
> the *BSDs.
> 
> Are there any plans to add idle timeouts to OpenSSH in future? Does 
> anyone have any proven methods and/or patches for working around this 
> problem?

It depends on what you mean by "idle".

If you mean "hasn't exchanged any protocol traffic for a while and might 
actually be gone" then see ClientAliveInterval and ClientAliveCountMax 
in sshd_config.

If you mean "at the shell but haven't typed anything for a while" then 
there's no mechanism in sshd for that right now, and it's probably not 
something that sshd should be doing anyway; ssh connection != shell 
session (you can have zero, 1 or many shell sessions per ssh 
connection).  There a couple of other options: shell timeout options (as 
others have pointed out) or there's an "idle daemon" that does this for 
all login types (the details escape me at the moment).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list