How to disconnect idle SSH session? Linux terminate ssh session. Linux SSH close connection after sometime. ssh idle timeout. keep idle ssh session active in Linux. disconnect idle ssh session timeout. ssh close session timeout. ssh timeout. ssh idle timeout Linux. Autodisconnect idle ssh session Linux. Kill inactive ssh session automatically in Linux. Automatically disconnect idle ssh session in Linux. terminate inactive ssh session in Unix. ssh close connection after time. how to disconnect from ssh
What is an idle SSH session?
Here we mean that a ssh connection was made between a host and a client but there has been no activity on this connection by the user and is considered idle. Here although the ssh session is not in stuck state. You can list all the active ssh connections and then check the idle time for individual source host.
In this article I will share the trick to disconnect an idle SSH session automatically and also to avoid getting disconnected for an idle SSH session. In my last article I had shared the steps and examples to terminate an unresponsive SSH session in Linux.
The trick to disconnect idle SSH session is to use below two arguments with proper values to achieve both the scenario i.e. to disconnect an idle SSH session and also to make sure your SSH session does not gets disconnected when idle
- ClientAliveInterval
- ClientAliveCountMax
But before disconnecting any such ssh session it is also important to know the currently active SSH sessions on your Linux node. There are various ssh authentication methods using which you can connect to Linux nodes with or without password depending upon your requirement.
From the man page
ClientAliveCountMax Sets the number of client alive messages which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive. The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client.
Disconnect idle SSH session (ssh close connection after sometime)
To disconnect idle SSH session i.e. to ssh close connection after some time make sure ClientAliveCountMax
is 0. Because when is 0, sshd will not send client alive messages and ssh close connection after sometime if client is inactive for time period as provided with ClientAliveInterval
.
ClientAliveCountMax
on the client node instead of server side to ssh close connection after sometime. Assuming you are doing SSH from node1 → node2 in that case apply these changes on node2
so that SSH connection from any node to node2
will get disconnected when idle more than defined time.Look out for the current assigned value of ClientAliveCountMax
in /etc/ssh/sshd_config
on node2
sshd_config
. It means that your sshd_config
file is customised and no one has defined a value for ClientAliveCountMax
. To get the default value of an unassigned variable, you must get the values of all the variables from sshd_config
which you can view using "sshd -T
".# sshd -T | grep -i client clientaliveinterval 10 clientalivecountmax 1
Next assign a null value for ClientAliveCountMax
in /etc/ssh/sshd_config
on the client node which for me is node2
node2:~ # grep ClientAliveCountMax /etc/ssh/sshd_config
ClientAliveCountMax 0
Now we should also assign a time interval for which the session will be allowed to be active when idle. This can be defined using ClientAliveInterval
again in the /etc/ssh/sshd_config
file on my client node i.e. node2
node2:~ # grep ClientAliveInterval /etc/ssh/sshd_config
ClientAliveInterval 10
For the sake of this article I am giving 10 seconds as this interval period. You can change this value based on your requirement.
Restart the sshd service and check the status
node2:~ # systemctl restart sshd
node2:~ # systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2019-05-31 16:16:20 IST; 51s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 19792 (sshd)
CGroup: /system.slice/sshd.service
└─19792 /usr/sbin/sshd -D
May 31 16:16:20 node2 systemd[1]: Starting OpenSSH server daemon...
May 31 16:16:20 node2 sshd[19792]: Server listening on 192.150.20.2 port 22.
May 31 16:16:20 node2 sshd[19792]: Server listening on node2 port 22.
May 31 16:16:20 node2 systemd[1]: Started OpenSSH server daemon.
Next let us initiate the SSH session from node1 to node2
[root@node1 ~]# ssh -v root@node2
Monitor the idle SSH session on node2
using 'w
' to make sure ssh close connection after some time when idle
[root@node2 ~]# w 16:21:11 up 7:04, 2 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 10.0.2.2 09:17 7.00s 0.26s 0.01s w root pts/1 10.0.2.31 16:21 2.00s 0.03s 0.03s -bash [root@node2 ~]# w 16:21:14 up 7:04, 2 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 10.0.2.2 09:17 2.00s 0.26s 0.00s w root pts/1 10.0.2.31 16:21 5.00s 0.03s 0.03s -bash [root@node2 ~]# w 16:21:17 up 7:04, 2 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 10.0.2.2 09:17 5.00s 0.26s 0.00s w root pts/1 10.0.2.31 16:21 8.00s 0.03s 0.03s -bash [root@node2 ~]# w 16:21:19 up 7:04, 2 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 10.0.2.2 09:17 7.00s 0.26s 0.00s w root pts/1 10.0.2.31 16:21 10.00s 0.03s 0.03s -bash [root@node2 ~]# w 16:21:20 up 7:04, 1 user, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 10.0.2.2 09:17 0.00s 0.28s 0.02s w
As you see, after 10 seconds of idle ssh session from node1 to node2, the SSH close connection after sometime automatically. Below debug message is seen on my node1
[root@node2 ~]# debug1: channel 0: free: client-session, nchannels 1 Connection to node2 closed by remote host. Connection to node2 closed. Transferred: sent 2220, received 2412 bytes, in 10.4 seconds Bytes per second: sent 213.8, received 232.3 debug1: Exit status -1
-v
"So our idle SSH session gets disconnected automatically after waiting for 10 seconds.
Keep idle SSH session active (ClientAliveInterval & ClientAliveCountMax)
Now above I showed you the trick to make sure your idle SSH session gets automatically disconnected. Now if this is becoming a problem for you then you can increase the value of ClientAliveCountMax
to a non-zero value.
Additionally you can also use TCPKeepAlive
in your sshd_config
on the client node.
From the man page of sshd_config:
TCPKeepAlive Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, this means that connections will die if the route is down temporarily, and some people find it annoying. On the other hand, if TCP keepalives are not sent, sessions may hang indefinitely on the server, leaving "ghost" users and consuming server resources. The default is yes (to send TCP keepalive messages), and the server will notice if the network goes down or the client host crashes. This avoids in‐ finitely hanging sessions. To disable TCP keepalive messages, the value should be set to no.
For the sake of this article I will use below values
[root@node2 ~]# vim /etc/ssh/sshd_config ClientAliveInterval 5m # 5 minutes ClientAliveCountMax 3 # 3 times
Here sshd will send messages, called Client Alive Messages, through the encrypted channel to request a response from client if client is inactive for 5 minutes. The sshd daemon will send these messages max three times. If this threshold is reached while Client Alive Messages are being sent, sshd will disconnect the idle ssh session on the client.
These values can also be used in combination with ServerAliveInterval
and ServerAliveCountMax
to automatically disconnect a hung or unresponsive SSH session.
Next restart the sshd service and check the status
[root@node2 ~]# systemctl restart sshd
[root@node2 ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2019-05-31 16:37:06 IST; 1s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 9866 (sshd)
Tasks: 1
CGroup: /system.slice/sshd.service
└─9866 /usr/sbin/sshd -D
May 31 16:37:06 node2.example.com systemd[1]: Stopped OpenSSH server daemon.
May 31 16:37:06 node2.example.com systemd[1]: Starting OpenSSH server daemon...
May 31 16:37:06 node2.example.com sshd[9866]: Server listening on 0.0.0.0 port 22.
May 31 16:37:06 node2.example.com sshd[9866]: Server listening on :: port 22.
May 31 16:37:06 node2.example.com systemd[1]: Started OpenSSH server daemon.
Lastly I hope the steps from the article to disconnect idle SSH session, ssh close connection after sometime or to avoid idle SSH session getting disconnected on Linux was helpful. So, let me know your suggestions and feedback using the comment section.
References:
Fix "Putty session keeps disconnecting when idle"