5.2.20 Ensure SSH Idle Timeout Interval is configured

Information

The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions.

- ClientAliveInterval sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client.
- ClientAliveCountMax sets the number of client alive messages which may be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. The default value is 3
- The client alive messages are sent through the encrypted channel
- Setting ClientAliveCountMax to 0 disables connection termination

Example: The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds

Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value reduces this risk.

- The recommended ClientAliveInterval setting is no greater than 900 seconds (15 minutes)
- The recommended ClientAliveCountMax setting is 0
- At the 15 minute interval, if the ssh session is inactive, the session will be terminated.

Solution

Edit the /etc/ssh/sshd_config file to set the parameters according to site policy. This should include ClientAliveInterval between 1 and 900 and ClientAliveCountMax of 0 :

ClientAliveInterval 900
ClientAliveCountMax 0

Impact:

In some cases this setting may cause termination of long-running scripts over SSH or remote automation tools which rely on SSH. In developing the local site policy, the requirements of such scripts should be considered and appropriate ServerAliveInterval and ClientAliveInterval settings should be calculated to insure operational continuity.

See Also

https://workbench.cisecurity.org/files/3742

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|16.11

Plugin: Unix

Control ID: c8d80d9f5fde7393a228bbcec3a859de0f3fdd271f8ece720019ce986042bdfb