5.3.19 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax

Information

The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions.

ClientAliveInterval sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client.

ClientAliveCountMax sets the number of client alive messages which may be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. The default value is 3.

The client alive messages are sent through the encrypted channel

Setting ClientAliveCountMax to 0 disables connection termination

Example: The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds

Rationale:

Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value reduces this risk.

The recommended ClientAliveInterval setting is no greater than 600 seconds (10 minutes)

The recommended ClientAliveCountMax setting is 0

At the 15 minute interval, if the ssh session is inactive, the session will be terminated.

Impact:

In some cases this setting may cause termination of long-running scripts over SSH or remote automation tools which rely on SSH. In developing the local site policy, the requirements of such scripts should be considered and appropriate ServerAliveInterval and ClientAliveInterval settings should be calculated to insure operational continuity.

Solution

Edit the /etc/ssh/sshd_config file to set the parameters according to site policy. This should include ClientAliveInterval between 1 and 600 and ClientAliveCountMax of 0:

ClientAliveInterval 600

ClientAliveCountMax 0

Default Value:

ClientAliveInterval 0

ClientAliveCountMax 3

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-12, 800-53|SC-10, CCI|CCI-001133, CCI|CCI-002361, CSCv7|16.11, Rule-ID|SV-204587r603261_rule, Rule-ID|SV-204589r603261_rule, STIG-ID|RHEL-07-040340

Plugin: Unix

Control ID: 081ae0d23097edad714fd7dd01a8b240bae1b3113b08d85a4c4cb5ed3b1f00c3