5.2.16 Ensure SSH Idle Timeout Interval is configured

Information

The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions.

- ClientAliveInterval sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client.
- ClientAliveCountMax sets the number of client alive messages which may be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. The default value is 3
- The client alive messages are sent through the encrypted channel
- Setting ClientAliveCountMax to 0 disables connection termination

Example:

If the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time.

Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value reduces this risk.

- The recommended ClientAliveInterval setting is 300 seconds (5 minutes)
- The recommended ClientAliveCountMax setting is 3
- The ssh session would send three keep alive messages at 5 minute intervals. If no response is received after the third keep alive message, the ssh session would be terminated after 15 minutes.

Solution

Edit the /etc/ssh/sshd_config file to set the parameters according to site policy. This should include ClientAliveInterval between 1 and 300 and ClientAliveCountMax of 3 or less:

ClientAliveInterval 300

ClientAliveCountMax 3

See Also

https://workbench.cisecurity.org/benchmarks/8498

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|16.11

Plugin: Unix

Control ID: 519056b8bdddd714a494322ddd49c5b9991066d083ba84a910caeb5969d05021