3172 – Idle connections not closed automatically

Bug 3172 - Idle connections not closed automatically

Summary: Idle connections not closed automatically

Status:	NEW

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	8.2p1
Hardware:	amd64 Linux

Importance:	P5 critical
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-05-29 19:15 AEST by Stefan
Modified:	2021-12-15 03:54 AEDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan 2020-05-29 19:15:33 AEST

Hello together,

I have set ClientAliveCountMax=1 and ClientAliveInterval=300 and have expected that any idle SSH connection will be closed automatically after 5min of inactivity. This is not the case. I have also tried to disable it by setting ClientAliveCountMax=0 but the behavior is the same. Any ssh connection remains open forever. 

Can you confirm that there is an issue with this?

Thank you and with best regards,
Stefan

Comment 1 Damien Miller 2020-05-29 21:35:27 AEST

These settings are not for closing idle sessions, but for closing sessions when network connectivity has failed. Are you testing by not passing keystrokes though the session? If so, that won't work - you can test these options by blocking traffic with firewall rules or by physically pulling a network plug if you prefer :)

Comment 2 Stefan 2020-06-02 15:56:27 AEST

Yes, I am testing by not passing keystrokes through the session.

Can you please tell me which settings are for closing idle sessions then? :) 

All I have found on the internet, and even the CIS recommendation (https://www.cisecurity.org/cis-benchmarks/), is to use these two settings for closing idle connections automatically. 

Before using OpenSSH 8.2 we were running OpenSSH 7.9. With 7.9 everything worked as expected with ClientAliveCountMax=0 and ClientAliveInterval=300 - any idle connection was closed automatically after 5min. Since the update this does not work anymore. We did not change anything in our sshd config.

In the OpenSSH 8.2 release notes I have found a bug fix regarding ClientAliveCountMax which indicates a changed behavior (https://bugzilla.mindrot.org/show_bug.cgi?id=2627)

 * sshd(8): make ClientAliveCountMax=0 have sensible semantics: it
   will now disable connection killing entirely rather than the
   current behaviour of instantly killing the connection after the
   first liveness test regardless of success. bz2627

That is why I have played around with ClientAliveCountMax but without success.

Your help is really appreactiated - thank you.

Comment 3 Darren Tucker 2020-06-02 19:29:22 AEST

(In reply to Stefan from comment #2)
> Can you please tell me which settings are for closing idle sessions
> then? :) 

sshd doesn't actually know when the shell is idle.  Is the shell idle during "sleep 60"?  Try something like bash's TMOUT variable.

Comment 4 Stefan 2020-06-03 01:16:40 AEST

(In reply to Darren Tucker from comment #3)
> (In reply to Stefan from comment #2)
> > Can you please tell me which settings are for closing idle sessions
> > then? :) 
> 
> sshd doesn't actually know when the shell is idle.  Is the shell
> idle during "sleep 60"?  Try something like bash's TMOUT variable.

Yes, when I am using TMOUT inside the session is terminated automatically. I don't even need an explicit sleep command. So the session is really idle.

Comment 5 Stefan 2020-06-10 15:39:16 AEST

Any idea why it works for OpenSSH 7.9 and does not work anymore with OpenSSH 8.x?

Comment 6 Damien Miller 2020-07-31 13:31:35 AEST

ClientAliveCountMax=0 has never been specified to work as an idle timeout. If it did that then it was by accident and would be unreliable. E.g. if the client specified it's own ServerAliveTimeout or kept a forwarded TCP connection open then it would never fire.

Comment 7 josh 2021-12-15 03:54:33 AEDT

This is another call to either restore the previous functionality (which, I will point out, is "documented" as a solution to disconnecting idle SSH connections all over the web, including posts dated well after the change in OpenSSH - not your problem, yet it does point out a widespread usage of said functionality).  While i understand the call to use the TMOUT shell variable, that ONLY works when the SSH session in question is ALSO the shell in question.  SSHing into one system where the TMOUT variable is set and then SSHing from there into another system completely eliminates the first shell's timeout functionality, as it never returns to a shell prompt until the SSH session exits.  And when the timeout needs to be implemented on the first server, but not the second (e.g., a bastion gateway SSH server used to provide access to internal servers that don't/shouldn't have timeout on shells), it essentially eliminates the ability to timeout idle SSH sessions on that first server.

I understand that the ClientAliveInterval and ClientAliveCountMax were not originally intended to provide a timeout functionality, and that logically ClientAliveCountMax=0 should disable the option, but in today's network environment there needs to be a reasonable way to force idle SSH connections to close at the SSH server level.  Can I suggest that perhaps setting ClientAliveCountMax=-1 would be a reasonable way to tell sshd that if it waits ClientAliveInterval without any data packets that it should close the connection immediately?  That could then be documented as explicitly being the way to disconnect idle sessions - set ClientAliveInterval=<timeout> and ClientAliveCountMax=-1 to automatically disconnect after <timeout> with no data.