Linux - System Preferences - Set SSH Timeout (ClientAliveInterval)

What the SSH timeout configuration Worklet does

This Automox Worklet™ modifies the SSH daemon configuration to enforce ClientAliveInterval settings on your Linux endpoints. The Worklet reads the current /etc/ssh/sshd_config file, compares the existing timeout value against your desired setting, and applies the new ClientAliveInterval parameter if changes are needed.

After updating the configuration, the Worklet also sets ClientAliveCountMax to zero, verifying the SSH daemon closes connections immediately after the timeout expires. The SSH service is then safely restarted to apply the new settings, with configuration validation performed before the restart.

Why enforce SSH session timeouts

Idle SSH sessions persist indefinitely without timeout controls, creating exploitable attack vectors. Administrators step away from terminals with active SSH connections, leaving privileged access exposed for hours or days. Attackers who compromise workstations gain access to these abandoned sessions and use them to maintain persistence on servers without detection. The sessions bypass authentication logs because they remain technically valid, hiding attacker activity from security monitoring tools.

This Automox Worklet configures ClientAliveInterval to automatically terminate idle sessions after the specified timeout. The approach complies with CIS Benchmarks and NIST 800-53, which mandate session timeout controls. You reduce the window of exposure for unauthorized access by closing sessions that remain inactive beyond the configured interval, while legitimate administrators can quickly re-authenticate when needed and maintain their productivity.

How SSH timeout enforcement works

1. Evaluation phase: The Worklet checks the current ClientAliveInterval value in /etc/ssh/sshd_config using grep and awk commands. If no timeout is configured or the value differs from your desired setting, the evaluation exits with remediation required.

2. Remediation phase: The Worklet removes any existing ClientAliveInterval and ClientAliveCountMax entries from the configuration, adds the new ClientAliveInterval with your desired timeout value (in seconds), sets ClientAliveCountMax to zero for immediate timeout enforcement, validates the configuration with sshd -t, and safely restarts the SSH service using systemctl restart sshd.

SSH timeout configuration requirements

• Linux endpoints with SSH server installed and /etc/ssh/sshd_config file present

• Root or sudo access to modify SSH daemon configuration and restart the service

• System utilities available: grep, awk, sed, systemctl, sshd

• Desired SSH timeout value specified as a parameter (default 300 seconds if not provided)

• Works on both Linux workstations and servers

Expected SSH session timeout behavior

After completion, SSH sessions that remain idle for the configured number of seconds are automatically terminated by the SSH daemon. Users attempting to send commands on inactive connections receive "Connection closed by remote host" or "Broken pipe" errors and must re-authenticate. Active sessions with ongoing command execution or data transfer continue unaffected, with the timeout only applying to idle connections with no keyboard input or command activity.

Verify the configuration by running grep ClientAliveInterval /etc/ssh/sshd_config and grep ClientAliveCountMax /etc/ssh/sshd_config to confirm the values match your desired timeout. Test the timeout by establishing an SSH session, remaining idle past the configured interval, then attempting a command, which fails with a disconnection message. Check that systemctl status sshd shows the service running successfully after the configuration change. The policy applies uniformly to all SSH connections, including root and service accounts.

How to validate set ssh timeout (clientaliveinterval) changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for set ssh timeout (clientaliveinterval).

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as exit, else, sed, then rerun evaluation for compliance.