Skip to content

Set an SSH idle timeout

Severity: lowApplies to: OpenSSH 8.x+Applies to: Debian / UbuntuApplies to: RHEL / Rocky / Alma
The fix/etc/ssh/sshd_config
Terminal window
ClientAliveInterval 300
ClientAliveCountMax 0
LoginGraceTime 30

Then reload the daemon:

Terminal window
sudo systemctl reload ssh # Debian, Ubuntu
sudo systemctl reload sshd # RHEL, Rocky, Alma, Fedora

An idle SSH session is an authenticated session. It survives the laptop being carried out of the building, the screen being left unlocked, and the person forgetting it exists. The exposure is modest and requires physical or local access to exploit — which is why this is low rather than high — but it costs nothing to close.

LoginGraceTime is the more useful half. It bounds how long a connection may sit before authenticating, and the default of 120 seconds is generous enough that unauthenticated connections can accumulate. Dropping it to 30 shrinks that window.

They are easy to misread, because they describe a keepalive mechanism rather than a timeout:

  • ClientAliveInterval 300 — after 300 seconds of silence, the server sends the client a request and waits for a response.
  • ClientAliveCountMax 0 — how many of those may go unanswered before the server disconnects.

So the actual idle timeout is ClientAliveInterval × (ClientAliveCountMax + 1). With 300 and 0, a session is dropped after roughly 5 minutes of silence. With the OpenSSH default ClientAliveCountMax 3, the same interval would give you 20 minutes.

Note this measures network silence, not human idleness. A session running tail -f, a long build, or anything producing output is not idle and will not be dropped.