openssh bugs - May 2020 - [Bug 3172] New: Idle connections not closed automatically

https://bugzilla.mindrot.org/show_bug.cgi?id=3172

            Bug ID: 3172
           Summary: Idle connections not closed automatically
           Product: Portable OpenSSH
           Version: 8.2p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: stefan.laesser at omicronenergy.com

Hello together,

I have set ClientAliveCountMax=1 and ClientAliveInterval=300 and have
expected that any idle SSH connection will be closed automatically
after 5min of inactivity. This is not the case. I have also tried to
disable it by setting ClientAliveCountMax=0 but the behavior is the
same. Any ssh connection remains open forever. 

Can you confirm that there is an issue with this?

Thank you and with best regards,
Stefan

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3172

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
These settings are not for closing idle sessions, but for closing
sessions when network connectivity has failed. Are you testing by not
passing keystrokes though the session? If so, that won't work - you can
test these options by blocking traffic with firewall rules or by
physically pulling a network plug if you prefer :)

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3172

--- Comment #2 from Stefan <stefan.laesser at omicronenergy.com> ---
Yes, I am testing by not passing keystrokes through the session.

Can you please tell me which settings are for closing idle sessions
then? :) 

All I have found on the internet, and even the CIS recommendation
(https://www.cisecurity.org/cis-benchmarks/), is to use these two
settings for closing idle connections automatically. 

Before using OpenSSH 8.2 we were running OpenSSH 7.9. With 7.9
everything worked as expected with ClientAliveCountMax=0 and
ClientAliveInterval=300 - any idle connection was closed automatically
after 5min. Since the update this does not work anymore. We did not
change anything in our sshd config.

In the OpenSSH 8.2 release notes I have found a bug fix regarding
ClientAliveCountMax which indicates a changed behavior
(https://bugzilla.mindrot.org/show_bug.cgi?id=2627)

 * sshd(8): make ClientAliveCountMax=0 have sensible semantics: it
   will now disable connection killing entirely rather than the
   current behaviour of instantly killing the connection after the
   first liveness test regardless of success. bz2627

That is why I have played around with ClientAliveCountMax but without
success.

Your help is really appreactiated - thank you.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3172

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Stefan from comment #2)
> Can you please tell me which settings are for closing idle sessions
> then? :) 
sshd doesn't actually know when the shell is idle.  Is the shell idle
during "sleep 60"?  Try something like bash's TMOUT variable.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3172

--- Comment #4 from Stefan <stefan.laesser at omicronenergy.com> ---
(In reply to Darren Tucker from comment #3)
> (In reply to Stefan from comment #2)
> > Can you please tell me which settings are for closing idle sessions
> > then? :) 
> 
> sshd doesn't actually know when the shell is idle.  Is the shell
> idle during "sleep 60"?  Try something like bash's TMOUT
variable.
Yes, when I am using TMOUT inside the session is terminated
automatically. I don't even need an explicit sleep command. So the
session is really idle.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3172

--- Comment #5 from Stefan <stefan.laesser at omicronenergy.com> ---
Any idea why it works for OpenSSH 7.9 and does not work anymore with
OpenSSH 8.x?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3172

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
ClientAliveCountMax=0 has never been specified to work as an idle
timeout. If it did that then it was by accident and would be
unreliable. E.g. if the client specified it's own ServerAliveTimeout or
kept a forwarded TCP connection open then it would never fire.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3172

josh at honorablemenschen.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |josh at honorablemenschen.com

--- Comment #7 from josh at honorablemenschen.com ---
This is another call to either restore the previous functionality
(which, I will point out, is "documented" as a solution to
disconnecting idle SSH connections all over the web, including posts
dated well after the change in OpenSSH - not your problem, yet it does
point out a widespread usage of said functionality).  While i
understand the call to use the TMOUT shell variable, that ONLY works
when the SSH session in question is ALSO the shell in question.  SSHing
into one system where the TMOUT variable is set and then SSHing from
there into another system completely eliminates the first shell's
timeout functionality, as it never returns to a shell prompt until the
SSH session exits.  And when the timeout needs to be implemented on the
first server, but not the second (e.g., a bastion gateway SSH server
used to provide access to internal servers that don't/shouldn't have
timeout on shells), it essentially eliminates the ability to timeout
idle SSH sessions on that first server.

I understand that the ClientAliveInterval and ClientAliveCountMax were
not originally intended to provide a timeout functionality, and that
logically ClientAliveCountMax=0 should disable the option, but in
today's network environment there needs to be a reasonable way to force
idle SSH connections to close at the SSH server level.  Can I suggest
that perhaps setting ClientAliveCountMax=-1 would be a reasonable way
to tell sshd that if it waits ClientAliveInterval without any data
packets that it should close the connection immediately?  That could
then be documented as explicitly being the way to disconnect idle
sessions - set ClientAliveInterval=<timeout> and ClientAliveCountMax=-1
to automatically disconnect after <timeout> with no data.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3172

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #8 from Damien Miller <djm at mindrot.org> ---
Since OpenSSH 9.2 we now have ChannelTimeout and
UnusedConnectionTimeout that provide granular idle session/connection
timeouts.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.