CentOS / RHEL : How to setup session idle timeout (inactivity timeout) for ssh auto logout
There are two options related to ssh inactivity in /etc/ssh/sshd_config file:
ClientAliveInterval
ClientAliveCountMax
So the timeout value is calculated by multiplying ClientAliveInterval with ClientAliveCountMax.
timeout interval = ClientAliveInterval * ClientAliveCountMax
The meaning of the two parameters can be found in the man page of sshd_config:
# man sshd_config
ClientAliveCountMax
Sets the number of client alive messages (see below) which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive (below). The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive. The default value is 3. If ClientAliveInterval (see below) is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. This option applies to protocol version 2 only.
ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. This option applies to protocol version 2 only.
There are 2 methods to configure the inactivity timeout. For example in this post we will configure an auto logout interval of 10 mins.
Method 1
1.Configure the timeout value in the /etc/ssh/sshd_config file with below parameter values.
# vi /etc/ssh/sshd_config
ClientAliveInterval 5m # 5 minutes
ClientAliveCountMax 2 # 2 times
2. Restart the ssh service after setting the values.
# service sshd restart
This would make the session timeout in 10 minutes as the ClientAliveCountMax value is multiplied by the ClientAliveInterval value.
Method 2
1. You can set the ClientAliveCountMax value to 0 and ClientAliveInterval value to 10m to achieve the same thing.
# vi /etc/ssh/sshd_config
ClientAliveInterval 10m # 10 minutes
ClientAliveCountMax 0 # 0 times
2. Restart the ssh service after setting the values.
# service sshd restart
Difference between method 1 and method 2
There’s a little difference between these two methods. For the first method, sshd will send messages, called Client Alive Messages here, through the encrypted channel to request a response from client if client is inactive for five minutes. The sshd daemon will send these messages max two times. If this threshold is reached while Client Alive Messages are being sent, sshd will disconnect the client.
But for the second method, sshd will not send client alive messages and terminate the session directly if client is inactive for 10 minutes.