IT Best Practices Tip: nist_V-38610

Severity: low

Short Description

The SSH daemon must set a timeout count on idle sessions.

Long Description

This ensures a user login will be terminated as soon as the "ClientAliveCountMax" is reached.

How to Check Correct Configuration

To ensure the SSH idle timeout will occur when the "ClientAliveCountMax" is set, run the following command:

# grep ClientAliveCountMax /etc/ssh/sshd_config

If properly configured, output should be:

ClientAliveCountMax 0

If it is not, this is a finding.

How to Fix

To ensure the SSH idle timeout occurs precisely when the "ClientAliveCountMax" is set, edit "/etc/ssh/sshd_config" as follows:

ClientAliveCountMax 0