Date: Fri, 03 May 2013 16:27:15 -0500 From: Joshua Isom <jrisom@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: sshd - time out idle connections Message-ID: <51842BB3.6070501@gmail.com> In-Reply-To: <13EF2CCE-397D-4456-A553-B331D9314C26@my.gd> References: <1698EAB7-4B40-466D-98CB-782E9E494578@my.gd> <5183CEF5.1070604@ssimicro.com> <13EF2CCE-397D-4456-A553-B331D9314C26@my.gd>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/3/2013 10:05 AM, Fleuriot Damien wrote: > Thanks for your response Markham, > > > I'm afraid labor law is much too protective here for us to be able to "educate" users in this way;) > > Your idea to run a cron job every X minutes has merit though, I'll try and check into that ! > If labor law's stopping you, what does the law say about security/privacy breaches because someone stole a laptop that was still connected to your server? Run a cron job, and kill any ssh process that's lasted longer than five minutes, ignore what's being ran. Also kill any detached process by that user. If you must do something, you probably have sudo rights to pause cron. Why are you allowing ssh if you're not letting it be usable? I might also look into the annoyance of having a different authentication method just for ssh, setting it's pam config to be different than other services. If everything else uses kerberos, have ssh just use unix and not kerberos. It seems like a simple way to further limit access.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51842BB3.6070501>