At work we maintain over a hundred machines, most of which are regularly accessed via SSH by our developers. Due to the number of machines and the number of tasks that need completed, we found that many of the developers would often forget they were logged into a server and leave an idle SSH session open. Due to the sensitive nature of the data on many of the servers we needed to find a solution to this. We decided to implement an SSH feature to automatically logout SSH sessions after a period of inactivity. Here is how we did it.
Inside the sshd_config file (/etc/ssh/sshd_config) there is a setting for ClientAliveInterval
and ClientAliveCountMax
. Edit these two lines to look something like:
ClientAliveInterval 300
ClientAliveCountMax 0
Once these settings are changed you’ll need to restart your SSH server for them to take effect.
sudo /etc/init.d/ssh restart
Now, if an SSH session is connected with no activity for five minutes, it’ll be automatically logged out. Hopefully reducing the chance of an open connection becoming vulnerable at an idle workstation.
And another way is to edit /etc/profile or /etc/bashrc.
In it put:
readonly TMOUT=300
Then login as a user and try to change your TMOUT variable.
At my work, we need to have these shells, working on so many servers…
What we have is a policy that you lock your workstation as soon as you leave (CTRL-L on the keyboard).
If you don’t lock your workstation, what often happens is nasty things happens to your machine (vi is symlinked to less, etc) or certain emails are sent to company lists (I resign, I’m gay, Hate me goood gramar an spelin i do etc)
It’s very effective, at allowing us to keep shells open to servers for a long time, whilst reducing the chance of them being abused by someone else 🙂