I was at work and quickly SSH’d into my home media server to muck around. I minimised my terminal to go out to lunch, then came back, unlocked my computer, and saw that I was still logged in as root. That gave me a mini heart attack.

So, let’s fix that.

Let’s open the SSH config file.

Oh boy, what wondrous and strange configurations we see. I’ve already disabled passwords in my config file and forced my media server to only use public key authentication. I’ll probably be setting up my home lab the same way, so I’ll describe how to set that up in a later post.

There is a glaring omission in my config. There’s no ClientAliveInterval or ClientAliveCountMax. These control how long a session can remain idle for before sending a keep-alive message (disabled by default), and the number of keep-alive messages sent before disconnection (default of 3) respectively. So if my  ClientAliveInterval is set to, say, 20 seconds, a client will be sent 3 keep-alives and then disconnected over 1 minute.

I want any client connected to me to instantly be disconnected after five minutes. I don’t exactly know the benefits of instantly disconnecting after five minutes of inactivity versus sending multiple keep-alives, but I’m guessing using keep-alives will detect client disconnections and terminate the session. That seems smarter to me. Let’s check if the connection is still alive every 30 seconds. This means we’ll need 300 / 30 = 10 keep-alives. Quick mafs.

So, I’m gonna add this to the end of my config:

Now to restart SSH to use the new config:

I can’t be bothered waiting to see if it actually works, so I’m just gonna assume it did. Let me know if it doesn’t.


Turns out I misunderstood the hell out of the keep-alives. If you send a keep-alive, of course the idle client (that hasn’t disconnected) will respond and keep the session live. So let’s fix that.

Now we’re just gonna kick the client instantly if there’s been no activity after 5 minutes.