Photo by Jon Tyson on Unsplash

Automatically terminate OpenSSH sessions

The Clock Is Ticking

Article from ADMIN 79/2024

By Thorsten Scherf

Disconnect OpenSSH user sessions after a certain period of inactivity with the systemd-logind service.

When configuring a system, a large number of settings are required to meet compliance requirements. Common Criteria [1] is an international standard for the security certification of computer systems. The standard defines the requirements as security targets.

Targets look different depending on the system you are using. For example, the requirements for a mobile device differ from those for a desktop system, which explains why protection profiles are different. The Protection Profile for general-purpose operating systems [2] clearly stipulates that user sessions must either be terminated or, alternatively, locked after a certain period of inactivity.

However, recent OpenSSH versions block a workaround frequently used to meet this requirement. We show you how to use the systemd-logind service to solve this dilemma.

Compliance Undermined

The US Department of Defense (DOD) Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) [3] also stipulate these requirements for operating systems. The Guide for Red Hat Enterprise Linux 8 [4] proposes implementing these rules with specific configurations of the OpenSSH service. Two statements, ClientAliveInterval and ClientAliveCountMax, are intended to help meet the compliance requirements:

grep -i clientalive /etc/ssh/sshd_config
ClientAliveInterval 600
ClientAliveCountMax 0

Once you have made these changes to your OpenSSH configuration, an SSH connection to this system will be disconnected after 10 minutes of inactivity, in exactly the way required by the Common Criteria and DISA STIGs.

The problem is, though, that these two

...

Use Express-Checkout link below to read the full article (PDF).