sshd - time out idle connections

[Fleuriot Damien]

Allow me to add a bit of context here.


We're wrapping things up to obtain the PCI DSS certification which is awarded for running through a long and annoying series of hoops.
This certification is rather important to our business so like it or not, we have to play along.


Allowing the use of screen defeats the purpose of logging out idle connections, I don't think we're going to pass this specific requirement if we let users run screen.




On May 3, 2013, at 5:18 PM, "Mikel King" <mikel at olivent.com> wrote:

> Firing people for violating the 5 minute rule seems a tad extreme. If there is indeed a company policy regarding the 5 minute idle window you and you intend to roll forward with a connection kill script then also make screen or tmux available. In my experience people tend to be more accepting of connection outages if they can reconnect to where the were when they were last on. 
> 
> Regards,
> Mikel King
> BSD News 
> 
> 
> From: Fleuriot Damien [mailto:ml at my.gd]
> To: FreeBSD questions [mailto:freebsd-questions at freebsd.org]
> Sent: Fri, 03 May 2013 10:28:31 -0400
> Subject: sshd - time out idle connections
> 
> Hello list,
> 
> 
> 
> I'm facing this unusual demand at work where we need to time out idle SSH connections for security purposes.
> 
> I've checked the following options from sshd_config but none seems to fit my needs :
> TCPKeepAlive
> ClientAliveCountMax
> ClientAliveInterval
> 
> 
> Basically, I'm trying to defeat the use of the following client-side option:
> ServerAliveInterval 5
> 
> 
> I'm afraid all I've hit now is dead ends.
> 
> 
> Has anyone ever had the same requirements before and, perhaps, found a solution to this ?
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"