ClientAlive messages, TMOUT and SSH session logging of

I have some questions regarding automatic logout of SSH client

from my understanding there are several ways to do so, first one is by setting TMOUT variable within /etc/profile, that works without any issue if I set up TMOUT=30 the user will disconnect after 30 seconds of not executing any command but there are ClientAliveInterval and ClientAliveCountMax and I am confused about how do they work and why they do not work as I would expect them to do

from man sshd_config

ClientAliveCountMax
Sets the number of client alive messages which may be sent without sshd(8) receiving any
messages back from the client. If this threshold is reached while client alive messages
are being sent, sshd will disconnect the client, terminating the session. It is impor‐
tant to note that the use of client alive messages is very different from TCPKeepAlive.
The client alive messages are sent through the encrypted channel and therefore will not
be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client
alive mechanism is valuable when the client or server depend on knowing when a connection
has become inactive.
The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is
left at the default, unresponsive SSH clients will be disconnected after approximately 45
seconds.

ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the
client, sshd(8) will send a message through the encrypted channel to request a response
from the client. The default is 0, indicating that these messages will not be sent to
the client.

Let’s say we want to set up on our SSH server to disconnect IDLE user after 300 seconds, I think that there are 3 ways of doing so:

ClientAliveCountMax = 0
ClientAliveInterval = 300 

or via TMOUT

TMOUT=300

but this one does not work

ClientAliveCountMax = 5
ClientAliveInterval = 60

my question is why? I thought that if ClientAliveCountMax is set, then the kick out time shall be equal to ClientAliveCountMax * ClientAliveInterval therefore in my example, all the entries should do the same, disconnecting the SSH client after 300 seconds of being IDLE

if I monitor the traffic with tcpdump I see that ClientAliveInterval is an interval in which TCP messages are being sent from the server to the client and I would expect based on the settings description in the sshd_config that ClientAliveCountMax means the maximum amount of the ClientAlive messages to be sent before the client gets kicked out (if IDLE) therefore in my example:

ClientAliveCountMax = 5
ClientAliveInterval = 60

should be interpreted as:

if a user is IDLE proceed to send ClientAlive messages in 60s interval until they reach count of 5, then terminate the session (in 5 minutes of IDLE time the user will be disconnected)

But that does not work. Am I missing something or am I just misunderstanding it completely?

ssh clients can set ServerAliveCountMax and ServerAliveInterval too in their ~/.ssh_config file. This will override server defaults.

so, as a SSH server I can not force timeout for clients connecting if they configure their ssh_config otherwise?


Linux sysadmin blog - Linux/Unix Howtos and Tutorials - Linux bash shell scripting wiki