It is often desirable to terminate SSH sessions after they have been sitting idle for a period of time. If you do any quick searching you will find that many (most?) believe that the sshd configuration settings
ClientAliveCountMax are the place to configure this. Sadly, many security hardening guides[1,2], frameworks, benchmark documents, and tools (which are based on those documents) provide this same incorrect guidance. The
ClientAliveCountMax do not at all exist for the sake of the terminating sessions after mere lack of use for a period of time. These settings in OpenSSH are used to determine unresponsive clients (NOT responsive/functioning but idle clients). The settings are used purely as a heartbeat mechanism.
Below you can see a
ClientAliveInterval setting of 60 seconds and my OpenSSH session having zero input or output for 120 seconds and still remaining connected:
[jblaine@testbed1~]$ sudo grep -i client /etc/ssh/sshd_config ClientAliveCountMax 0 ClientAliveInterval 60 [jblaine@testbed1~]$ count=0; while :; do count=$(( count + 120 )); sleep 120; echo $count seconds have passed; done 120 seconds have passed 240 seconds have passed ^C
Likewise, we see the same behavior with
ClientAliveMaxCount set to 1:
[jblaine@testbed1~]$ sudo grep -i client /etc/ssh/sshd_config ClientAliveCountMax 1 ClientAliveInterval 60 [jblaine@testbed1~]$ count=0; while :; do count=$(( count + 120 )); sleep 120; echo $count seconds have passed; done 120 seconds have passed 240 seconds have passed ^C
OpenSSH has zero functionality built into it to disconnect sessions that are functional but merely idle for a certain period of time. When sshd receives no response from a client after
ClientAliveMaxCount * ClientAliveInterval seconds, it means we are considering the client unresponsive network-wise and sshd will terminate connection. See
client_alive_check() in OpenSSH serverloop.c
How did this misunderstanding come about? The usual suspects: Echo chambers and people copying and pasting without testing. But I also blame the
ClientAliveInterval section of the man page for
sshd which uses the overloaded term “inactive” where it should use the word “unresponsive”. As such, I’ve created a pull request.