Linux - System Preferences - Set SSH Timeout (ClientAliveInterval)

What the SSH idle timeout enforcer does

This Automox Worklet™ enforces an idle session timeout on the OpenSSH daemon by writing ClientAliveInterval and ClientAliveCountMax directives into /etc/ssh/sshd_config. The Worklet reads the desired timeout value (in seconds) from a policy parameter, removes any existing non-commented ClientAliveInterval and ClientAliveCountMax directives, appends the canonical pair of settings, and restarts the daemon so the policy takes effect on the next connection.

ClientAliveInterval sets the number of seconds the daemon waits before sending a keepalive probe to an idle client. ClientAliveCountMax sets how many unanswered probes the daemon will send before closing the session. The Worklet pins ClientAliveCountMax to 0, which tells sshd to drop the session immediately at the first unanswered probe, so the effective idle limit is exactly ClientAliveInterval seconds. The default value if no parameter is supplied is 300 seconds, matching the CIS Benchmark recommendation.

The remediation script validates the updated sshd_config with sshd -t before restarting the service, so a syntax error fails fast rather than taking sshd down with a broken config. The Worklet runs idempotently and can be scheduled on a recurring policy to catch drift the next time someone hand-edits sshd_config on a server.

Why enforce an SSH idle timeout

An idle SSH session left open at a forgotten terminal is a privileged shell with no authentication wall in front of it. The session is already past the auth log, already inside the bastion, and already authorized as whichever account the admin used. CIS Benchmark controls 5.2.22 (ClientAliveInterval) and 5.2.23 (ClientAliveCountMax) call out this gap directly, and NIST 800-53 AC-12 and PCI-DSS 8.1.8 codify session termination as a baseline control. Without ClientAliveInterval set, sshd holds the session open indefinitely, and an attacker with workstation access inherits the live shell with no credential prompt.

The ClientAliveInterval directive is easy to lose. A new server image ships without the sshd_config patch baked in, a Puppet or Ansible run rewrites the file with a stale template, or an on-call engineer raises the interval during an incident and forgets to put it back. The Worklet greps /etc/ssh/sshd_config on every evaluation, checks the current ClientAliveInterval value, and triggers remediation when the directive is missing or set to something other than the target.

How SSH idle timeout enforcement works

1. Evaluation phase: The Worklet greps /etc/ssh/sshd_config for the active ClientAliveInterval line, extracts the value with awk, and compares it to the desired timeout supplied by the policy. The endpoint is flagged non-compliant when the directive is missing, commented out, or set to a value other than the target. The evaluation script exits 0 when the value matches and exits 1 when remediation is required.

2. Remediation phase: The script uses sed to remove every existing non-commented ClientAliveInterval and ClientAliveCountMax line from /etc/ssh/sshd_config, then appends the desired ClientAliveInterval value and a ClientAliveCountMax of 0 at the end of the file. It validates the updated configuration with sshd -t, and only on a clean validation does it run systemctl restart sshd to apply the change. A failed sshd -t aborts the restart and exits non-zero so the failure surfaces in Automox activity logs.

SSH timeout policy requirements

• Linux endpoint running OpenSSH with /etc/ssh/sshd_config present (RHEL, CentOS, Rocky, Alma, Fedora, Ubuntu, Debian, SUSE)

• Root or sudo privileges for the Automox agent so it can rewrite sshd_config and restart the daemon (the default agent context already meets this)

• systemctl available for the SSH service restart; on older sysvinit hosts, swap systemctl restart sshd for service ssh restart in the remediation script

• Standard utilities present: grep, awk, sed, sshd

• Policy parameter set to the desired timeout in seconds; default is 300 seconds when no value is supplied, matching CIS Benchmark 5.2.22

• Match block awareness: if /etc/ssh/sshd_config contains Match User or Match Group stanzas, place the ClientAliveInterval directive outside any Match block, or duplicate it inside each block that needs the override

Expected SSH behavior after remediation

After the Worklet completes, /etc/ssh/sshd_config contains ClientAliveInterval set to the policy value and ClientAliveCountMax 0 at the bottom of the file. New SSH sessions inherit the timeout immediately. Any session that goes idle for longer than ClientAliveInterval seconds with no keystrokes, no output, and no SSH channel traffic is closed by sshd with a Broken pipe or Connection closed by remote host message on the client side. Sessions actively running a command, streaming logs, or holding a tunnel open do not count as idle and are unaffected.

Validate the change with grep -E '^ClientAlive' /etc/ssh/sshd_config, which should print the two directives and their values. Confirm the daemon picked up the new configuration with sshd -T | grep -i clientalive, which reads the effective runtime values rather than the file contents. Check service health with systemctl status sshd and confirm there is no LoadError or Failed line in the unit status. Subsequent Automox evaluations report the endpoint compliant and skip remediation.