[sllug-members]: OpenSSH Idle Timeout

Jason Edwards jtanium at gmail.com
Fri Jan 25 16:59:26 MST 2008 

I seem to have come across a solution that's about as good. Cron this
command to run on your firewall every minute or so:

who -u | awk '{ print $6,$7 }' | egrep
"old|[1-9]:|00:([2-9]|1[6-9])"|awk '{ print $2 }' | xargs kill -15

In case you're wondering what the above does:
`who -u` => produces a list of every user on the box, and how long
they've been idle
`awk '{ print $6,$7 }'` => this will extract the idle time and the pid
from the above
`egrep "old|[1-9]:|00:([2-9]|1[6-9])"` => this will find sessions that
are more than 15 minutes old
`awk '{ print $2 }'` => this extracts the pids from the above
`xargs kill -15` => sends the SIGTERM to the pids

If you change it to kill -9, you kill the "privileged" sshd process,
but the unprivileged sshd process, which is the parent of the shell,
will continue to run, leaving the session open.  The SIGTERM will end
the session properly.

I did make sure that this works properly when you are ssh'ed to
another machine.  For example, none of our boxes have direct ssh
access, you have ssh to the firewall, then onto the box (something
like this: client -> firewall -> web server).  So if you are logged
into the web server and are working, your session won't become idle.
But if you stop typing on the web server, your idle time will
increase.  In short, `who -u` seems to recognize idle time properly.

Disclaimer: I've only run this on CentOS 5.  I can take no
responsibility for use of the script.  If your machines are not behind
a separate physical firewall, you'll probably have to run it on each
box.  Your Mileage May Vary (YMMV).

Jason

On Jan 25, 2008 3:48 PM, Knight Walker <kwalker at kobran.org> wrote:
>
> On Fri, 2008-01-25 at 15:33 -0700, Jason Edwards wrote:
> > Well, thanks for that input...  I guess that will just have to do...
> > The lame thing about the Bash idle timeout, is users can easily fix
> > that by adding "unset TMOUT" to their .bash_profile.
>
> Yeah, that is a (slight) possibility, but this will protect against the
> other 90% of the time when someone gets distracted by coworkers talking
> about last night's House MD or whatever.
>
> > I looked if there was a way to do it in iptables, similar to the way
> > my stupid WRT45G kills my ssh connections after, like, 30 minutes, but
> > couldn't find anything.  I imagine you'd have to pull in the recent
> > module -- it would be tricky, no doubt about it.
>
> If you can figure that out, I would like to know, because there's some
> people who leave their MySQL sessions open indefinitely and it really
> pisses me off.
>
> -KW
>
>
> ______________________________________________________________________
> See http://www.sllug.org/ for latest SLLUG news, information, links.
> Join SLLUG and other UT LUG members on irc.FreeNode.net channel #Utah
> sllug-members at sllug.org
> http://www.sllug.org/cgi-bin/mailman/listinfo/sllug-members
>

More information about the sllug-members mailing list