Bug 3182

Summary: openssh-8.2 make ClientAliveCountMax=0 disable the connection
Product: Portable OpenSSH Reporter: kircher <kircherlike>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: security CC: djm, jvishwanath66, luke.j.dennis+bugzilla
Priority: P1    
Version: 8.2p1   
Hardware: ARM64   
OS: Linux   

Description kircher 2020-06-17 18:44:16 AEST 
The meaning of the ClientAliveCountMax=0 parameter modified in OpenSSH 8.2 is as follows: 
https://anongit.mindrot.org/openssh.git/commit/?id=69334996ae203c51c70bf01d414c918a44618f8e

This modification indicates that the OpenSSH does not provide the function of exiting the client due to timeout after no operation is performed on the client for a long time. In most cases, a client that does not perform any operation responds to the heartbeat packets sent by the server. 

The TMOUT parameter in /etc/profile can implement this function. This parameter, however, is configurable on the client. 

We hope that OpenSSH can re-provide a parameter on the server to make the client that does not perform any operation exit due to timeout.
Comment 1 Damien Miller 2020-07-31 13:34:45 AEST 
Killing the connection because of inactivity was never the specified function of ClientAliveInterval and that it happened to work that way was an accident. Note that the previous behaviour was not reliable - a client that set a ServerAliveInterval or that kept a forwarded TCP connection open would never be killed for inactivity.

If you need a idle timeout, then I suggest looking at shell features (e.g. bash's TMOUT) or something like a PAM module.
Comment 2 Damien Miller 2021-03-04 09:52:49 AEDT 
close bugs that were resolved in OpenSSH 8.5 release cycle
Comment 3 Luke 2022-05-10 10:00:24 AEST 
(In reply to Damien Miller from comment #1)
> If you need a idle timeout, then I suggest looking at shell features
> (e.g. bash's TMOUT) or something like a PAM module.

I am trying to add an idle timeout to an ssh server on an embedded system which does not have bash. I haven't been able to find any reference to a PAM that will add timeout functionality, would you be able to point me in the right direction? Either a specific module if you know if one or some keywords that will help find some results?

Thanks!
Comment 4 Vishwanath Jadhav 2023-02-16 01:04:39 AEDT 
Hi Damien Miller,

`close bugs that were resolved in OpenSSH 8.5 release cycle`

can u please share the BZ(or release notes) for the provided fix.
Comment 5 Damien Miller 2023-02-16 10:31:40 AEDT 
https://www.openssh.com/releasenotes.html#9.2 under "New Features"