Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 3rd September 2008
arch arch is offline
Port Guard
Join Date: Jun 2008
Posts: 38
Default sshd doesn't time out

i want to cut out connections of users that have been idle for some time.
just to test it use ClientAlive* options. set *Interval to 1 second and *CountMax to 2 so in 4-5 sec connection must be killed. now by idle i mean user doesn't type any commands and/or watching some output of a command e.g dmesg (if that make a count for "idle").
default fbsd 7.0, ssh version OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.8e 23 Feb 2007.
the problem is that, that ClientAlive* options doesn't do anything - e.g connection still alive after 5-10 mins
fbsd is running on vmware on windows host, using putty to connect. try it from within vmware, e.g. fbsd to fbsd ssh connection - no time out, try it on physical machine - same.
any input appriciated

#	$OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $
#	$FreeBSD: src/crypto/openssh/sshd_config,v 1.47 2006/11/10 16:52:41 des Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.
PrintMotd no
#VersionAddendum FreeBSD-20061110

Port 22
Protocol 2
AddressFamily inet

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO

# Authentication:

LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
#MaxAuthTries 6

RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable PAM authentication
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes

AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
TCPKeepAlive no
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 1
ClientAliveCountMax 2
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server
Verbose mode can also be turned on for SSH2 with the (surprise!) VerboseMode keyword.
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
sshd logging - can we get the ssh command? Mantazz FreeBSD Security 17 23rd May 2009 08:34 AM
Basic sshd hardening anomie Guides 12 12th September 2008 03:39 AM
cupsd and sshd slow mururoa FreeBSD General 3 27th August 2008 08:36 PM
sshd and timeout Sunsawe FreeBSD Security 6 29th May 2008 12:54 PM
Sudden SSHd restarts stukov General software and network 4 5th May 2008 06:39 PM

All times are GMT. The time now is 10:20 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick