Disable Inactive SSH Sessions

Today’s article can be used by anyone that has started using SSH on their computers, as we learn to disable inactive SSH sessions. It’s not going to be a very complicated article. This is easy enough for anybody to do, and there aren’t too many ways to permanently mess things up.

What is SSH?

My regular readers will know that I’ve written quite a few articles about SSH. Basically, SSH stands for “Secure Shell” and is a tool you use to remotely control other devices through the terminal. The tool is ancient but still valuable. I use SSH regularly, and that’s not even counting the stuff I do online.

Indeed, I’ve written some SSH articles before:

Install SSH to Remotely Control Your Linux Computers
How To: Restart SSH
Show Failed SSH Login Attempts
(And many more.)

By default, your server/device may not close inactive or idle sessions. It will let you maintain your connection until you tell it to exit. This can be a security issue and it may be worth setting your SSH to disable inactive SSH services.

In this article, we’ll be using Nano and you’ll need to be able to use an SSH connection. If you don’t default to using Nano, you can install Nano or just use the default text editor that you’re more accustomed to. In theory, if you’re just practicing, you could set this up on your computer and then tell SSH to connect to ‘user@localhost’.

Disable Inactive SSH Sessions:

Up above I said, “SSH stands for “Secure Shell” and is a tool you use to remotely control other devices through the terminal.” If you were paying attention, you’d notice the last word is “terminal”. So, you’ll need an open terminal. For most distros, you can open a terminal easily, you press CTRL + ALT + T and you’re all good.

With your terminal now open, you’ll need to connect to the device that’s running the SSH server and enter the following command:

Next, you’ll add a couple of new lines. The syntax is straightforward and easy enough for anyone to understand. There’s a little bit of math, but you can do that math in your head. The syntax looks like this:

The first entry is how long you want to wait to check for an idle connection.

The second entry is how many times you want (set by the first entry) to check for an idle connection.

For example, look at this:

With the above, it’d check for an idle state every 300 seconds (five minutes). It will perform this check 5 times. If the connection is idle for all of those checks, the system will disconnect the SSH user. That’s allowing for 25 minutes of idle time before disconnecting the inactive user. That seems reasonable to me.

You can set those values to anything you’d like, perhaps shorter for an open office and longer if you’re using your home computer and connected to your own devices. The math doesn’t change. It’s just the number of seconds between text multiplied by the number of times the system will perform those checks. If you regularly have many users connected via SSH, you can save some resources by disconnecting them after a reasonable period of inactivity.

As we edited this with Nano, you’ll need to save the file. To do that, you simply press CTRL + X, then Y, and then ENTER and Nano will save the ‘ssh_config’ file.

After you have saved the file, you’ll need to restart SSH for the changes to take effect. That’s easy enough. Assuming you’re using Systemd, you restart SSH with this command:

If you’re still using SysV, the command would be this:

(I don’t bother with that often, I just assume you’re using Systemd. After all, according to the stats I can get, most of us are in fact using distros that use Systemd.)

Closure:

So, if you want to disable inactive SSH sessions, you can use the above as a template. You’ll need to figure out how long you want to wait between checks and you’ll want to decide how many times you’re going to make those checks. It’s simple math that anyone can do. It’s also probably not a bad step to take if you’re dealing with something public or sensitive.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Change The ‘sudo’ Password Timeout

Today’s article is going to be a pretty basic article about sudo, where we learn how to change the sudo password timeout. It’s pretty easy to change the sudo password timeout value, and reasonably safe to do so if you use visudo. So, with that in mind, read on!

When you use sudo you’re given a grace period. During that time, you can use sudo again without being asked to type your password again. This is an arbitrary value, typically 15 minutes (I think), and you can customize that value for your particular environment. It’s not difficult.

This is something people may want to change if they’re slow, doing a lot with sudo, or have good physical security. This is also something that someone might want to change for the opposite reason. Some people may want to decrease the length of time that they have with sudo because they work in a shared environment. Who knows? It’s your computer, you can do what you want!

So, what is sudo? It’s how you temporarily use elevated permissions. In fact, I wrote a whole article on this subject, which you can read if you’re so inclined – and I’d suggest doing so if you’re new to Linux:

So, What Is ‘sudo’ Anyhow?

Well then, I mentioned another application. I mentioned ‘visudo’ above.

This may come as a surprise, but I actually wrote an article about visudo! You can read that as well, especially if you’re new to Linux:

Use visudo To Edit The sudoers File

Huh… It’s almost as if I’ve been waiting to write this article for a while and that I took the time to write articles that explain all these things. For a brief moment, one might be fooled into thinking I am good at preparing things. Little do you know… It’d be far more accurate to just say that I’ve written a bunch of articles already. I’d prefer it if you thought it was the former, but there’s definitely a touch of the latter.

Change The sudo Password Timeout:

If you clicked on either of the two links above, you’d know that those tools are used in the terminal. You didn’t click them, did you? Well, you’re going to need an open terminal. In most distros, you can just press CTRL + ALT + T and your default terminal should open. 

With your terminal now open, we’re going to use visudo to edit your sudoers file. In my particular case, we’ll be using Nano. (See? Yet another article you can rely on for more information about Nano!) The command to start banging away on your sudoers file would be simply this:

Now, I can’t say for sure that you’ll be using Nano for this. As you didn’t click the links above, I’ll remind you that visudo uses your default text editor. So, you’ll need to be prepared for that. Your default text editor may be Vim, for example, and you’ll need to know the basics to change your sudo password timeout.

NOTE: If you want, you can change your default text editor. (Did you see that? I did it again!)

Anyhow…

With your sudoers file now open for editing, you just enter the following on a new line:

As far as I can tell, most distros default to 15 minutes. So, you can use sudo and then you won’t be asked for the password again for the next fifteen minutes. In the above, you replace the obvious with the obvious. If you wanted 10 minutes leeway without retyping the password, you’d use this command:

If you wanted an hour’s worth of leeway without typing your sudo password again, then the command would just be this:

See? It’s not very complicated at all.

If you want to be fancy, you could include a comment. A comment starts with an # symbol and is thus ignored by the system. You might want to enter something like this:

By adding a comment, you’ll be reminded of what changes you’ve made from the default configuration. This is generally a good idea, especially if you’re going to heavily modify your system.

As this is Nano, you can finish editing the sudoers file by pressing the CTRL + X, then Y, and then the ENTER button. That will save the changes with Nano. If you’re not using Nano, you’ll need to refer to the manual (unless you already know how to save an edited file).

Closure:

And there you go! You can now change your sudo password timeout value to whatever it is you desire, assuming it’s whole minutes. I do not believe it works with fractions of minutes. You shouldn’t need to reboot or anything. It should take effect immediately and be the new timeout value the very next time you use a command that starts with sudo.

Of course, this comes with some security considerations. If this is a public kiosk, you’d have to be a fool to make this longer. You’d have to be a fool to have sudo access to begin with! That’s why they make guest accounts!

But, if you’re home alone and the neighbors aren’t going to sneak in to steal your wifi password, you’re probably good to go. Heck, if you are daring, you can use sudo without a password. I don’t recommend that, but you can… 

Also, this article contains a whole lot of links to other articles. Google will be pleased! I think it speaks to how many articles I’ve already written more than any foresight on my part.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Linux Tips
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.