All Posts

How to configure SSH session timeouts

A quick guide on configuring session timeouts for SSH.

Sep 1st, 2021 • 4 min read

Logging out of your server is not something you may automatically think of doing, especially if you're in the middle of doing something else. As a result you may find yourself still logged in to your server sometime later when you're closing all those StackOverflow tabs! Like most software, SSH comes with a session timeout ability built in, keep on reading and we'll show you how to get it configured.

How it works

Before we dive into how to set this up, it's worth understanding first how it all works. SSH connections are made up by the client side (your computer) and the server side and both sides have different ways of detecting idle connections.

Server side

Server side connections via SSH essentially have an ecrypted channel in the background that the server uses to contact the client and ask "hey are you still there?", the SSH window on your computer will then reply and confirm it is. This means that you can leave an SSH connection open in the background and it can stay connected all day. If you turn your computer off or put it to sleep without disconnecting, the server side will not receive a response from those messages. If nothing is configured, you can find that you may be able to turn on or wake up your computer and still be connected via SSH.

To combat this, we can instruct the server to disconnect any connection if it sends a certain number of messages without receiving any response.

Client side

The issue with server side timeouts, is that you may not want a user to be able to keep an SSH connection open all day! You may simply want a user to be disconnected after 5 minutes if no command has being run. Sadly there isn't an actual option with SSH for this however we can use the TMOUT variable in bash to create the same effect by defining it in the global bashrc file.

Setting up server side timeouts

To set up the server side SSH timeouts, you'll first need to SSH onto your server as root, or a user with sudo access. Once in, open /etc/ssh/sshd_config in your preferred editor (I'm using nano for this tutorial) with sudo access.

sudo nano /etc/ssh/sshd_config

In that file, search for ClientAliveInterval and ClientAliveCountMax. They may be commented out with a hash symbol, if they are, remove the hash symbol.

ClientAliveInterval is the number of seconds between each of those messages and ClientAliveCountMax is the number of messages to send without receiving a response before it disconnects. So essentially the session timeout is ClientAliveInterval X ClientAliveCountMax.

Configuring the options as follows would result in a timeout of 10 minutes.

ClientAliveInterval 300          # 5 minutes
ClientAliveCountMax 2            # 2 times

# alternatively you could achieve the same result with
ClientAliveInterval 600          # 10 minutes
ClientAliveCountMax 1            # 1 time

Once you have the options set for your use case, save the file (if you're using nano it's CTRL + X followed by 'Y' to confirm and then enter). Then simply restart the SSH daemon to activate the changes.

sudo service sshd restart

Setting up client side timeouts

As mentioned above, client side timeouts can be handled by configuring the TMOUT bash variable. You may be used to setting variables inside a single users bashrc file, but that would only work if you logged in as that user. Instead, we'll set the variable in the global bashrc file, so it will affect every user.

Note, this timeout will also affect interactive shells, so if you start an interactive shell but then don't do anything, your connection may be terminated.

To configure client side timeouts, SSH into your server as root, or a user with sudo access. Once in, open /etc/bash.bashrc in your preferred editor with sudo access.

sudo nano /etc/bash.bashrc

Scroll to the bottom of the file and then add the following lines.

TMOUT=300
readonly TMOUT
export TMOUT

Amend the value of TMOUT to set a value suitable for your use case, as with the server options, this value is in seconds so the above example with log you out after 5 minutes of inactivity. Once you've set the desired value, save and close file (nano: CTRL + X followed by 'Y' to confirm and then enter).

As with changes to your users bashrc file, you will need to restart your session for the settings to take affect. You can simply close your SSH connection and reconnect, now if you don't do anything in your connection, it will automatically close after the configured number of seconds.



Ready to secure your servers?
Get started for free today.

Copyright © 2021 ServerAuth.com, All Rights Reserved. | Terms of Service | Privacy Policy