I’m facing a strange behaviour of 2 parameters in openssh ClientAliveInterval and ClientAliveCountMax.
I have 2 servers, one Amazon Linux 2 (basically a CentOS 7) and one Rocky 9. Both have
TMOUT=600 in /etc/profile
ClientAliveInterval 300
ClientAliveCountMax 0 in /etc/ssh/sshd_config
Curious thing is that on AL2, with a ssh session without doing nothing else but waiting I’m disconnected after 5 minutes, on R9 I’m disconnected after 10 minutes.
ClientAliveInterval ClientAliveCountMax should be parameters to configure how ssh should cleanup “dead” connection from client as I read here and there.
As far as I can see same configurations seams to brings at 2 different behaviors.
AL2 has openssh version 7.4, Rocky 9 has 8.7
Which one behavior is the correct one or something changes between versions?
You might take a look at this conversation here: clientaliveinterval
What is the behavior you desire?
I don’t know about AL2 but I think RL9 is behaving correctly as clientaliveinterval is multiplied by clientalivecountmax and 300*0 is an impossibility.
Maybe the most important question I didn’t mentioned, thanks.
TLDR: I would like to be logged out after 5 minutes
Long version: we, engineers, act with a common user on this installation so when I log in as luca I have to perform sudo su - commonuser and act in this way.
If I set TMOUT=300, after 5 minutes of inactivity commonuser is logged out in luca user, and after other 5 minutes I’m logged out from server, total 10 minutes.
In my mind, by setting the values:
ClientAliveInterval 300
ClientAliveCountMax 1 (as you suggest)
should logged me out despite the user I am. On AL2 (or CentOS 7) this configuration works, even with ClientAliveCountMax 0. Don’t know why but the effect I’m searching for is this one … if possible.
You might have to experiment with those settings. In reading the sshd_config man page it says the ClientAliveCountMax=3 is the default setting and setting it to “0” disables timouts altogether. I assume this default setting has no effect unless ClientAliveInterval is set. So you could set ClientAliveInterval to “100” and leave the default setting for ClientAliveCountMax and then after 300 seconds of inactivity from your user the session would end. There is also the ChannelTimout setting but these are all based on inactivity not hard session time limits.
After reading further I’m not sure there is a reliable way to achieve your goal w/o a careful study of the means described here in this discussion: SSH Timeouts
That discussion covers the behavior of what you saw on AL2. Rocky9’s version of ssh (8.7) does not have the ChannelTimeout keyword which appeared in version (9.2).
“A historical note: Before OpenSSH 8.2 (Feb 14, 2020) the ClientAliveCountMax worked differently with 0, having the side effect that it could have been used for terminating idle connections“
A historical note: Before