IT Best Practices Tip: nist_V-38610
The SSH daemon must set a timeout count on idle sessions.
This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached.
How to Check Correct Configuration
To ensure the SSH idle timeout will occur when the "ClientAliveCountMax" is set, run the following command:
# grep ClientAliveCountMax /etc/ssh/sshd_config
If properly configured, output should be:
If it is not, this is a finding.
How to Fix
To ensure the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, edit "/etc/ssh/sshd_config" as follows: