Set an SSH idle timeout
/etc/ssh/sshd_configClientAliveInterval 300ClientAliveCountMax 0LoginGraceTime 30Then reload the daemon:
sudo systemctl reload ssh # Debian, Ubuntusudo systemctl reload sshd # RHEL, Rocky, Alma, FedoraWhy it matters
Section titled “Why it matters”An idle SSH session is an authenticated session. It survives the laptop being
carried out of the building, the screen being left unlocked, and the person
forgetting it exists. The exposure is modest and requires physical or local
access to exploit — which is why this is low rather than high — but it costs
nothing to close.
LoginGraceTime is the more useful half. It bounds how long a connection may sit
before authenticating, and the default of 120 seconds is generous enough that
unauthenticated connections can accumulate. Dropping it to 30 shrinks that window.
How the two directives combine
Section titled “How the two directives combine”They are easy to misread, because they describe a keepalive mechanism rather than a timeout:
ClientAliveInterval 300— after 300 seconds of silence, the server sends the client a request and waits for a response.ClientAliveCountMax 0— how many of those may go unanswered before the server disconnects.
So the actual idle timeout is ClientAliveInterval × (ClientAliveCountMax + 1).
With 300 and 0, a session is dropped after roughly 5 minutes of silence.
With the OpenSSH default ClientAliveCountMax 3, the same interval would give
you 20 minutes.
Note this measures network silence, not human idleness. A session running
tail -f, a long build, or anything producing output is not idle and will not be
dropped.
Related
Section titled “Related”- Restrict which users can log in over SSH — who may open a session at all.