timeout

ssh configuration to prevent timeout auto-logouts

Blog

I have a couple remote systems with really short ssh login timeouts. By the time I stand up, walk into the other room to retrieve a reference book and sit back down, the system has logged me out for being idle too long.

By default, the idle auto-logout timeout is set by the administrator in the /etc/ssh_config file. Since most people don't lock their screens before they move away from their computers (though, they really should, and if you have client work on your laptop, you owe it to your client to protect their work by locking your screen every time you leave it), short timeouts will reduce the security risk by auto-logging out idle connections more quickly, reducing the window of opportunity.

I do have the habit of locking my screen as I stand up to move away from it, thanks to Mike Gull. Thanks, Mike!

For one particular system, however, the timeout is too short (it's less than 2 minutes, might be less than one, I haven't timed it).

Rather than changing the config file, I can send null packets to the server letting it know that my connection is still open, that I'm not idle. On the command line, that options is -o:

% ssh -o ServerAliveInterval=5 bounceout

It is, however, slightly annoying to have to remember that -o option.

Fortunately, I can save it in the ssh configuration file:

% man ssh
...
  -F configfile
      Specifies an alternative per-user configuration file.  If a configuration file is given on the
      command line, the system-wide configuration file (/etc/ssh_config) will be ignored.  The
      default for the per-user configuration file is ~/.ssh/config.
...

Excellent.

One quick

% emacs ~/.ssh/config

later and I have this in my file:

Host bounceout.hodsden.net
     ServerAliveInterval        5

I could have used an = instead of white space to separate the values, which eliminates the need for double quotes around the value if there is space in the value:

Host bounceout.hodsden.net
   ServerAliveInterval=5

but my config file is simple enough I don't need to.

And now, no more quick time-outs for that box. Yay!

I also could have used a wild card on that Host parameter. This is a special case that I don't want applied to every server I ssh into, so limiting to one host seems prudent.

Update: If you have aliases in your /etc/host file for your servers, you will need to use the alias in the Host parameter:

Host bounceout
   ServerAliveInterval=5