From owner-freebsd-questions@FreeBSD.ORG Fri May 3 21:27:20 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A3AC4FEF for ; Fri, 3 May 2013 21:27:20 +0000 (UTC) (envelope-from jrisom@gmail.com) Received: from mail-ia0-x232.google.com (mail-ia0-x232.google.com [IPv6:2607:f8b0:4001:c02::232]) by mx1.freebsd.org (Postfix) with ESMTP id 73DFF15BB for ; Fri, 3 May 2013 21:27:20 +0000 (UTC) Received: by mail-ia0-f178.google.com with SMTP id t29so1776927iag.9 for ; Fri, 03 May 2013 14:27:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=IW8c3svetPMGzQjfwMZM+nOJ9ysxsogSURcDVHI0Kus=; b=xTkA4ziUL3cARkgFxF3DOWd75tGLOAxuuHrBIF+9XJuZxjByxpH1ws8M7LvidoYdgX RStcmlwhsJ/UIvqp67DFBGNHu3Axkk9mnnLaJ4Rtmv74u3ijfq/9XftxG4ETMEc8XRc6 HH8EILR0p4AxLD2FTy7Sb7uS9DO6nkPBX7xMp37w4q8D23v+ebxH/t5+fmm4ZGO+IlzW s1eHyqYKjH7ZdHzwRF+HYsoyLU3NPgEgwkhAzugoIn2SdwMA8rWp3pbKbGQwnEdlhN0C FjLBMYz8TbwYpvVdjQ6lzjnCGQhYcnlpFq0KednZGVjtzbSwYibdibFdsMpe6HkIl+Vv c8+Q== X-Received: by 10.50.131.130 with SMTP id om2mr9822023igb.54.1367616440042; Fri, 03 May 2013 14:27:20 -0700 (PDT) Received: from [192.168.1.34] (c-98-212-197-211.hsd1.il.comcast.net. [98.212.197.211]) by mx.google.com with ESMTPSA id p10sm32272682igj.5.2013.05.03.14.27.18 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 03 May 2013 14:27:19 -0700 (PDT) Message-ID: <51842BB3.6070501@gmail.com> Date: Fri, 03 May 2013 16:27:15 -0500 From: Joshua Isom User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: sshd - time out idle connections References: <1698EAB7-4B40-466D-98CB-782E9E494578@my.gd> <5183CEF5.1070604@ssimicro.com> <13EF2CCE-397D-4456-A553-B331D9314C26@my.gd> In-Reply-To: <13EF2CCE-397D-4456-A553-B331D9314C26@my.gd> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 May 2013 21:27:20 -0000 On 5/3/2013 10:05 AM, Fleuriot Damien wrote: > Thanks for your response Markham, > > > I'm afraid labor law is much too protective here for us to be able to "educate" users in this way;) > > Your idea to run a cron job every X minutes has merit though, I'll try and check into that ! > If labor law's stopping you, what does the law say about security/privacy breaches because someone stole a laptop that was still connected to your server? Run a cron job, and kill any ssh process that's lasted longer than five minutes, ignore what's being ran. Also kill any detached process by that user. If you must do something, you probably have sudo rights to pause cron. Why are you allowing ssh if you're not letting it be usable? I might also look into the annoyance of having a different authentication method just for ssh, setting it's pam config to be different than other services. If everything else uses kerberos, have ssh just use unix and not kerberos. It seems like a simple way to further limit access.