LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 03-14-2019, 10:58 AM   #1
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 7
Posts: 927

Rep: Reputation: 74
sshd automatical disconnection not working


I've the ssh service on several Ubuntu (14, 16, 18) /Debian servers like this:
Code:
ClientAliveInterval 1200
ClientAliveCountMax 3
ListenAddress 0.0.0.0
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
AcceptEnv LANG LC_*
Subsystem	sftp	/usr/lib/openssh/sftp-server
AuthorizedKeysFile /etc/ssh/users/authorized_keys_%u
For some reason I don't get disconnected after 1 hour (1200x3 seconds). Any ideas why that isn't happening and what I'm missing?
 
Old 03-14-2019, 11:53 AM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,138

Rep: Reputation: 5344Reputation: 5344Reputation: 5344Reputation: 5344Reputation: 5344Reputation: 5344Reputation: 5344Reputation: 5344Reputation: 5344Reputation: 5344Reputation: 5344
Quote:
Originally Posted by vincix View Post
I've the ssh service on several Ubuntu (14, 16, 18) /Debian servers like this:
Code:
ClientAliveInterval 1200
ClientAliveCountMax 3
ListenAddress 0.0.0.0
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
AcceptEnv LANG LC_*
Subsystem	sftp	/usr/lib/openssh/sftp-server
AuthorizedKeysFile /etc/ssh/users/authorized_keys_%u
For some reason I don't get disconnected after 1 hour (1200x3 seconds). Any ideas why that isn't happening and what I'm missing?
Have you read the sshd_config man page and looked at what the two options (bolded) actually do? From the man page:
Quote:
Originally Posted by SSHD_CONFIG Man Page
ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. This option applies to protocol version 2 only.

ClientAliveCountMax
The default value is 3. If ClientAliveInterval (see below) is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. This option applies to protocol version 2 only.
 
Old 03-14-2019, 12:02 PM   #3
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 7
Posts: 927

Original Poster
Rep: Reputation: 74
Well, I have and I still don't understand it as different. Further explanation would be greatly appreciated. Most of the tutorials on the internet point only to these two directives which should work just fine.
Do you mean to say that it refers only to connections which go through actual interruptions (internet connection going down, whatever), and not for cases when you simply keep the session open, but are idle?
 
Old 03-14-2019, 01:16 PM   #4
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.5
Posts: 2,554

Rep: Reputation: 868Reputation: 868Reputation: 868Reputation: 868Reputation: 868Reputation: 868Reputation: 868
Quote:
ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client.
Here's my understanding:
1. No data is received from the client for 1200 seconds
2. The server "asks" the client if it's still there
3. The client responds to that.
4. Reset the 1200 second clock.

The behaviour the OP is expecting (a disconnect) would only happen if the client didn't respond at step 3, 3 times. I suspect that in most cases, the client would respond. ("Yup, I'm still here").
I don't believe these settings are about user activity, just a "network level" checking for connectivity.
 
1 members found this post helpful.
Old 03-14-2019, 01:33 PM   #5
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,138

Rep: Reputation: 5344Reputation: 5344Reputation: 5344Reputation: 5344Reputation: 5344Reputation: 5344Reputation: 5344Reputation: 5344Reputation: 5344Reputation: 5344Reputation: 5344
Quote:
Originally Posted by scasey View Post
Here's my understanding:
1. No data is received from the client for 1200 seconds
2. The server "asks" the client if it's still there
3. The client responds to that.
4. Reset the 1200 second clock.

The behaviour the OP is expecting (a disconnect) would only happen if the client didn't respond at step 3, 3 times. I suspect that in most cases, the client would respond. ("Yup, I'm still here"). I don't believe these settings are about user activity, just a "network level" checking for connectivity.
Yep. And since the client itself *IS* connected, the check will always pass...so things carry on. I've seen it work, and it'll drop, but I've also seen it NOT work, depending on the ssh_config settings for the client. Setting the TMOUT environment variable is another option, and that works independently of the protocol.

Simply adjusting the variables to a short interval for testing is pretty easy, to see if things work, but the man page is pretty clear.
 
2 members found this post helpful.
Old 03-14-2019, 01:40 PM   #6
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 7
Posts: 927

Original Poster
Rep: Reputation: 74
If I set ClientAliveCountMax to 0 and adjust it only through ClientAliveInterval, then I get the expected behaviour, that is to say, only the idle time is being counted. After this Interval lapses, it disconnects, regardless whether the user is idle or (I imagine) there's a network connection problem.
 
Old 03-14-2019, 01:47 PM   #7
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.5
Posts: 2,554

Rep: Reputation: 868Reputation: 868Reputation: 868Reputation: 868Reputation: 868Reputation: 868Reputation: 868
Quote:
Originally Posted by vincix View Post
If I set ClientAliveCountMax to 0 and adjust it only through ClientAliveInterval, then I get the expected behaviour, that is to say, only the idle time is being counted. After this Interval lapses, it disconnects, regardless whether the user is idle or (I imagine) there's a network connection problem.
There you go. Sounds like you've figured out how to do what you want.
 
  


Reply

Tags
disconnection, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied sumanc Linux - Server 5 03-28-2008 04:59 AM
automatical boot everyday at the same time? oldsko0l Linux - Software 5 03-29-2006 01:54 AM
SUSE 10.0 cdrom and dvdrecorder automatical mounting problem pepeq Linux - Hardware 1 10-12-2005 12:23 PM
automatical feeding of login info in to a site pippet Linux - Software 0 07-23-2004 03:52 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 02:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration