|
|
|||
sshd doesn't time out
i want to cut out connections of users that have been idle for some time.
just to test it use ClientAlive* options. set *Interval to 1 second and *CountMax to 2 so in 4-5 sec connection must be killed. now by idle i mean user doesn't type any commands and/or watching some output of a command e.g dmesg (if that make a count for "idle"). default fbsd 7.0, ssh version OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.8e 23 Feb 2007. the problem is that, that ClientAlive* options doesn't do anything - e.g connection still alive after 5-10 mins fbsd is running on vmware on windows host, using putty to connect. try it from within vmware, e.g. fbsd to fbsd ssh connection - no time out, try it on physical machine - same. any input appriciated Code:
# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ # $FreeBSD: src/crypto/openssh/sshd_config,v 1.47 2006/11/10 16:52:41 des Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. PrintMotd no #VersionAddendum FreeBSD-20061110 Port 22 Protocol 2 AddressFamily inet ListenAddress 192.168.250.2 ListenAddress 192.168.252.2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging # obsoletes QuietMode and FascistLogging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 2m PermitRootLogin no StrictModes yes #MaxAuthTries 6 RSAAuthentication no PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Change to yes to enable built-in password authentication. PasswordAuthentication no PermitEmptyPasswords no # Change to no to disable PAM authentication ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM yes AllowTcpForwarding yes #GatewayPorts no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes TCPKeepAlive no #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed ClientAliveInterval 1 ClientAliveCountMax 2 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server
__________________
Verbose mode can also be turned on for SSH2 with the (surprise!) VerboseMode keyword. |
|
|||
__________________
Verbose mode can also be turned on for SSH2 with the (surprise!) VerboseMode keyword. |
|
|||
Alternatively you may use idled for this purpose
|
|
|||
Did you reload the sshd daemon?
|
|
|||
reload, restart, start/stop, install from ports ( fetch the source and use --prefix=/some_dir, started it from $prefix ) and again no time out. is ClientAlive* depend on something else like PasswordAuthentication on ChallengeResponseAuthentication option ?
__________________
Verbose mode can also be turned on for SSH2 with the (surprise!) VerboseMode keyword. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
sshd logging - can we get the ssh command? | Mantazz | FreeBSD Security | 17 | 23rd May 2009 08:34 AM |
Basic sshd hardening | anomie | Guides | 12 | 12th September 2008 03:39 AM |
cupsd and sshd slow | mururoa | FreeBSD General | 3 | 27th August 2008 08:36 PM |
sshd and timeout | Sunsawe | FreeBSD Security | 6 | 29th May 2008 12:54 PM |
Sudden SSHd restarts | stukov | General software and network | 4 | 5th May 2008 06:39 PM |