What is the default idle timeout for OpenSSH?

  • I can't seem to find an answer to this simple question, which I need for some compliance documentation.

    On a default install of CentOS 6.5 (OpenSSH 5.3p1-94.el6), after how long of being idle will a user's SSH session be terminated? I believe the following can be set to increase the idle timeout, but they are commented out by default.

    $ grep -i alive /etc/ssh/sshd_config
    #TCPKeepAlive yes
    #ClientAliveInterval 0
    #ClientAliveCountMax 3

    Also, is there a command to dump a list of the current sshd settings? I don't see anything in man sshd.

    Some shells can be set to exit after a timeout. That would cause the ssh session to terminate. Check whether your TMOUT environment variable is set.

  • The commented lines in sshd_config usually display the defaults. This is the case with all of the lines in your question. You can verify this in the sshd_config manpage. Here are the relevant snippets:


        Specifies whether the system should send TCP keepalive messages to the other side.  If they are sent, death of the connection or crash of one of the machines will be properly noticed.  However, this means that connections will die if the route is down temporarily, and some people find it annoying.  On the other hand, if TCP keepalives are not sent, sessions may hang indefinitely on the server, leaving “ghost” users and consuming server resources.

        The default is “yes” (to send TCP keepalive messages), and the server will notice if the network goes down or the client host crashes.  This avoids infinitely hanging sessions.

        To disable TCP keepalive messages, the value should be set to “no”.

        This option was formerly called KeepAlive.


        Sets the number of client alive messages (see below) which may be sent without sshd(8) receiving any messages back from the client.  If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session.  It is important to note that the use of client alive messages is very different from TCPKeepAlive (below) (above).  The client alive messages are sent through the encrypted channel and therefore will not be spoofable.  The TCP keepalive option enabled by TCPKeepAlive is spoofable.  The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive.

        The default value is 3.  If ClientAliveInterval (see below) is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds.  This option applies to protocol version 2 only.


        Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client.  The default is 0, indicating that these messages will not be sent to the client.  This option applies to protocol version 2 only.

    Correct me if wrong, but if there was no firewall in between me and the machine (w/ default configs), then I'd never be disconnected? I know our firewall drops idle TCP connections after 60 minutes, so that's where the closing idle connections is happening. I just wanted to check and see if OpenSSH itself explicitly closes sessions. I think the answer is No, openssh does not explicitly close idle connections, but firewalls *typically* do. The settings mentioned in your answer actually help to persist the connection or to properly terminate the session if it sees it's been dropped.

    The quoted text says that the default for ClientAliveInterval is 0, which means that it doesn't define a time interval for which a connection stays open. And yet we know that the time interval has some finite value by default. Therefore it seems that there must be some *other* parameter that sets how long the connection stays open by default. If my analysis above is correct, then suppose both server and client are linux machines running openssh, and both are using all the defaults. In this case which side sets the default, what is its value, and where is it set?

    @BenCrowell *And yet we know that the time interval has some finite value by default.* What *time interval* and how do you know this?

  • You can set up SSH keepalive for either the client or server side:

    Client side

    File: /etc/ssh/ssh_config


    Host *
    ServerAliveInterval XX
    ServerAliveCountMax YY

    Server side

    File: /etc/ssh/sshd_config


    ClientAliveInterval XX
    ClientAliveCountMax YY

    Extracted from: http://www.sysadmit.com/2016/02/linux-y-vmware-ssh-evitar-desconexion.html

    Useful, but doesn't answer the question in any way.

  • OpenSSH will not terminate a shell session that has been idle for some time. This is not something that OpenSSH does. Terminating an idle shell session is unrelated to the configuration of OpenSSH.

    The settings that you are showing are related to timeouts when the connection goes down and are unrelated to the shell on the remote host and what the user is doing or not doing there.

    The remote host's shell may terminate (or may get killed by some other process) after some time of idleness, but this is unrelated to the configuration of the SSH service on the server and of your SSH client.


    To dump the sshd configuration, use the "extended test mode" as root:

    sshd -T

    This is documented in the sshd(8) manual (looking at OpenSSH_7.7, LibreSSL 2.7.2 on OpenBSD here):


    Extended test mode. Check the validity of the configuration file, output the effective configuration to stdout and then exit. Optionally, Match rules may be applied by specifying the connection parameters using one or more -C options.

    This option was added to sshd for OpenSSH 5.1/5.1p1 in 2008.

    _OpenSSH will not terminate a shell session that has been idle for some time. This is not something that OpenSSH does. Terminating an idle shell session is unrelated to the configuration of OpenSSH._ Actually this doesn't appear to be true. If `ClientAliveCountMax` is set to `0`, an idle connection will be terminated after `ClientAliveInterval` seconds have passed. I haven't been able to find any documentation to support this behaviour though, which is frustrating... anyone?

    Also mentioned in JohnA's answer, not sure why that one was downvoted.

    @Annihilannic The connection would probably be terminated, but SSH would not explicitly terminate the shell session, which is what I'm emphasizing in my answer. If, for example, a shell session is running in `tmux` or `screen`, and SSH terminates the connection (for whatever reason), you will find that the _shell session_ does not terminate. If `tmux` or `screen` is not used, the shell session will most likely be sent a `HUP` signal and terminate, but it is not SSH that sends that `HUP` signal. SSH will _not_ terminate shell sessions.

  • If the requirement is to close the SSH connection after a period of inactivity, the shells themselves provide timeout variables.

    For bash:

    TMOUT: If set to a value greater than zero, TMOUT is treated as the default timeout for the read builtin. The select command terminates if input does not arrive after TMOUT seconds when input is coming from a terminal. In an interactive shell, the value is interpreted as the number of seconds to wait for input after issuing the primary prompt. Bash terminates after waiting for that number of seconds if input does not arrive.

    test this by running TMOUT=10 and wait for 10 sec to close the connection.

    For tcsh:

    The autologout shell variable can be set to log out or lock the shell after a given number of minutes of inactivity.

    In tcsh, the syntax for setting the timeout for ten minutes is set autologout=10. This doesn't work in the original csh.

  • If you want the timeout to be 10 seconds for everyone, do the following for the server config (sshd_config):

    ClientAliveInterval 10
    ClientAliveCountMax 0

    If you want the timeout to be 10 seconds for local clients, do the following for the client config (ssh_config):

    ServerAliveInterval 10
    ServerAliveCountMax 0

    If the AliveCountMax parameter is non-zero, it probably won't work because the server will reply resetting the timer (unless there's a connection problem). You can see this by running the ssh client with debugging turned on.

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM