sshd - time out idle connections
Hello list, I'm facing this unusual demand at work where we need to time out idle SSH connections for security purposes. I've checked the following options from sshd_config but none seems to fit my needs : TCPKeepAlive ClientAliveCountMax ClientAliveInterval Basically, I'm trying to defeat the use of the following client-side option: ServerAliveInterval 5 I'm afraid all I've hit now is dead ends. Has anyone ever had the same requirements before and, perhaps, found a solution to this ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sshd - time out idle connections
Depending on the shell you are using, you may be able to set that to auto-logout, or you could set a cron job to run every 5 minutes and terminate tty's with > 5min idle time. Honestly though, you will rarely find a good technical solution to a social problem--there's always a work-around--and this is a social problem. If there is a company security policy stating that ssh sessions are not to be left idling > 5 min, then make sure everyone is aware of this policy and start handing out pink slips to people that violate it. -M On 13-05-03 8:28 AM, Fleuriot Damien wrote: > Hello list, > > > > I'm facing this unusual demand at work where we need to time out idle SSH > connections for security purposes. > > I've checked the following options from sshd_config but none seems to fit my > needs : > TCPKeepAlive > ClientAliveCountMax > ClientAliveInterval > > > Basically, I'm trying to defeat the use of the following client-side option: > ServerAliveInterval 5 > > > I'm afraid all I've hit now is dead ends. > > > Has anyone ever had the same requirements before and, perhaps, found a > solution to this ? > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sshd - time out idle connections
Thanks for your response Markham, I'm afraid labor law is much too protective here for us to be able to "educate" users in this way ;) Your idea to run a cron job every X minutes has merit though, I'll try and check into that ! On May 3, 2013, at 4:51 PM, markham breitbach wrote: > Depending on the shell you are using, you may be able to set that to > auto-logout, or you > could set a cron job to run every 5 minutes and terminate tty's with > 5min > idle time. > > Honestly though, you will rarely find a good technical solution to a social > problem--there's always a work-around--and this is a social problem. If > there is a > company security policy stating that ssh sessions are not to be left idling > > 5 min, then > make sure everyone is aware of this policy and start handing out pink slips > to people that > violate it. > > -M > > > On 13-05-03 8:28 AM, Fleuriot Damien wrote: >> Hello list, >> >> >> >> I'm facing this unusual demand at work where we need to time out idle SSH >> connections for security purposes. >> >> I've checked the following options from sshd_config but none seems to fit my >> needs : >> TCPKeepAlive >> ClientAliveCountMax >> ClientAliveInterval >> >> >> Basically, I'm trying to defeat the use of the following client-side option: >> ServerAliveInterval 5 >> >> >> I'm afraid all I've hit now is dead ends. >> >> >> Has anyone ever had the same requirements before and, perhaps, found a >> solution to this ? >> >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sshd - time out idle connections
Allow me to add a bit of context here. We're wrapping things up to obtain the PCI DSS certification which is awarded for running through a long and annoying series of hoops. This certification is rather important to our business so like it or not, we have to play along. Allowing the use of screen defeats the purpose of logging out idle connections, I don't think we're going to pass this specific requirement if we let users run screen. On May 3, 2013, at 5:18 PM, "Mikel King" wrote: > Firing people for violating the 5 minute rule seems a tad extreme. If there > is indeed a company policy regarding the 5 minute idle window you and you > intend to roll forward with a connection kill script then also make screen or > tmux available. In my experience people tend to be more accepting of > connection outages if they can reconnect to where the were when they were > last on. > > Regards, > Mikel King > BSD News > > > From: Fleuriot Damien [mailto:m...@my.gd] > To: FreeBSD questions [mailto:freebsd-questions@freebsd.org] > Sent: Fri, 03 May 2013 10:28:31 -0400 > Subject: sshd - time out idle connections > > Hello list, > > > > I'm facing this unusual demand at work where we need to time out idle SSH > connections for security purposes. > > I've checked the following options from sshd_config but none seems to fit my > needs : > TCPKeepAlive > ClientAliveCountMax > ClientAliveInterval > > > Basically, I'm trying to defeat the use of the following client-side option: > ServerAliveInterval 5 > > > I'm afraid all I've hit now is dead ends. > > > Has anyone ever had the same requirements before and, perhaps, found a > solution to this ? > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sshd - time out idle connections
On May 3, 2013, at 5:16 PM, Arthur Chance wrote: > On 05/03/13 15:28, Fleuriot Damien wrote: >> Hello list, >> >> >> >> I'm facing this unusual demand at work where we need to time out idle SSH >> connections for security purposes. >> >> I've checked the following options from sshd_config but none seems to fit my >> needs : >> TCPKeepAlive >> ClientAliveCountMax >> ClientAliveInterval >> >> >> Basically, I'm trying to defeat the use of the following client-side option: >> ServerAliveInterval 5 >> >> >> I'm afraid all I've hit now is dead ends. >> >> >> Has anyone ever had the same requirements before and, perhaps, found a >> solution to this ? > > There's an idletime parameter in login.conf which will log out idle users. > Normally sshd bypasses login, but the sshd config parameter UseLogin can > change that, although it disables X11Forwarding. > > Note: this is all from a quick perusal of the source and manuals, I've not > done it myself. > > -- > In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a > new race of servants. Called Uruk-Oh-Hai in the Black Speech, they > were cruel and delighted in torturing spelling and grammar. > > _Lord of the Rings 2.0, the Web Edition_ I've already tried using login.conf 's idle timeout option and was sad indeed that it didn't apply to SSH connections. It never occured to me that UseLogin might be involved thereā¦ I'll have a look at it as well, thanks for your help Arthur. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sshd - time out idle connections
On 05/03/13 15:28, Fleuriot Damien wrote: Hello list, I'm facing this unusual demand at work where we need to time out idle SSH connections for security purposes. I've checked the following options from sshd_config but none seems to fit my needs : TCPKeepAlive ClientAliveCountMax ClientAliveInterval Basically, I'm trying to defeat the use of the following client-side option: ServerAliveInterval 5 I'm afraid all I've hit now is dead ends. Has anyone ever had the same requirements before and, perhaps, found a solution to this ? There's an idletime parameter in login.conf which will log out idle users. Normally sshd bypasses login, but the sshd config parameter UseLogin can change that, although it disables X11Forwarding. Note: this is all from a quick perusal of the source and manuals, I've not done it myself. -- In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a new race of servants. Called Uruk-Oh-Hai in the Black Speech, they were cruel and delighted in torturing spelling and grammar. _Lord of the Rings 2.0, the Web Edition_ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sshd - time out idle connections
Firing people for violating the 5 minute rule seems a tad extreme. If there is indeed a company policy regarding the 5 minute idle window you and you intend to roll forward with a connection kill script then also make screen or tmux available. In my experience people tend to be more accepting of connection outages if they can reconnect to where the were when they were last on. Regards, Mikel King BSD News _ From: Fleuriot Damien [mailto:m...@my.gd] To: FreeBSD questions [mailto:freebsd-questions@freebsd.org] Sent: Fri, 03 May 2013 10:28:31 -0400 Subject: sshd - time out idle connections Hello list, I'm facing this unusual demand at work where we need to time out idle SSH connections for security purposes. I've checked the following options from sshd_config but none seems to fit my needs : TCPKeepAlive ClientAliveCountMax ClientAliveInterval Basically, I'm trying to defeat the use of the following client-side option: ServerAliveInterval 5 I'm afraid all I've hit now is dead ends. Has anyone ever had the same requirements before and, perhaps, found a solution to this ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sshd - time out idle connections
On 5/3/2013 10:05 AM, Fleuriot Damien wrote: Thanks for your response Markham, I'm afraid labor law is much too protective here for us to be able to "educate" users in this way;) Your idea to run a cron job every X minutes has merit though, I'll try and check into that ! If labor law's stopping you, what does the law say about security/privacy breaches because someone stole a laptop that was still connected to your server? Run a cron job, and kill any ssh process that's lasted longer than five minutes, ignore what's being ran. Also kill any detached process by that user. If you must do something, you probably have sudo rights to pause cron. Why are you allowing ssh if you're not letting it be usable? I might also look into the annoyance of having a different authentication method just for ssh, setting it's pam config to be different than other services. If everything else uses kerberos, have ssh just use unix and not kerberos. It seems like a simple way to further limit access. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sshd - time out idle connections
On Fri, 3 May 2013 17:22:04 +0200, Fleuriot Damien wrote: > Allow me to add a bit of context here. > > > We're wrapping things up to obtain the PCI DSS certification which > is awarded for running through a long and annoying series of hoops. > This certification is rather important to our business so like it > or not, we have to play along. I'm familiar with this stupid concept. They are forcing you to fiddle with things that work fine as it is, just to get a sheet of shiny paper. After all, this sheet of paper allows you to raise your prices. :-) > Allowing the use of screen defeats the purpose of logging out idle > connections, I don't think we're going to pass this specific > requirement if we let users run screen. What _defines_ an idle connection? Let's say a user logs in via SSH and leaves the session untouched. Idle for 5 minutes? True. Disconnect. But what about this? After logging in, the user starts some program, maybe something like top, mc (Midnight Commander) or pine. Is this also considered idle? Is idle tied to "keystrokes received on the other end", or more like "data send to the client"? Is one sufficient, or are both required, to consider a connection "not idle", therefor not disconnecting it? What about batch processes? Can a user log in, submit a batch job, and then leave, while his batch job starts to run 10 minutes later (and finishes after 30 minutes)? Does the oh so holy specification for the glorious certification say anything about it, something you could incorporate into the concept and _then_ come up with an idea for implementation? The only chance to _really_ comply with the "certification rule" and therefor defeat any countermeasures possibly taken by users (tmux, screen, detach et al.) is to disconnect _any_ connection regardless of what the user is doing, killing all additional background processes and "at"-timed commands. Does this stop users from being idle more than 5 minutes? Sure, but it also STOPS THEM FOR DOING ACTUAL WORK, depending on how they use their SSH connections for that! However, the most excellent certification does not take that into mind, so why should you? ;-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"