From owner-freebsd-questions@FreeBSD.ORG Sat May 4 03:15:45 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 80720CA8 for ; Sat, 4 May 2013 03:15:45 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx02.qsc.de (mx02.qsc.de [213.148.130.14]) by mx1.freebsd.org (Postfix) with ESMTP id 4ADB21136 for ; Sat, 4 May 2013 03:15:45 +0000 (UTC) Received: from r56.edvax.de (port-92-195-26-233.dynamic.qsc.de [92.195.26.233]) by mx02.qsc.de (Postfix) with ESMTP id D5A882764D; Sat, 4 May 2013 05:15:37 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id r443FkM7002073; Sat, 4 May 2013 05:15:46 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Sat, 4 May 2013 05:15:46 +0200 From: Polytropon To: Fleuriot Damien Subject: Re: sshd - time out idle connections Message-Id: <20130504051546.700b724b.freebsd@edvax.de> In-Reply-To: <4559E77E-D897-4096-924C-CC034BB0D655@my.gd> References: <20130503151810.c829c479@mail.olivent.com> <4559E77E-D897-4096-924C-CC034BB0D655@my.gd> Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: FreeBSD questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 May 2013 03:15:45 -0000 On Fri, 3 May 2013 17:22:04 +0200, Fleuriot Damien wrote: > Allow me to add a bit of context here. > > > We're wrapping things up to obtain the PCI DSS certification which > is awarded for running through a long and annoying series of hoops. > This certification is rather important to our business so like it > or not, we have to play along. I'm familiar with this stupid concept. They are forcing you to fiddle with things that work fine as it is, just to get a sheet of shiny paper. After all, this sheet of paper allows you to raise your prices. :-) > Allowing the use of screen defeats the purpose of logging out idle > connections, I don't think we're going to pass this specific > requirement if we let users run screen. What _defines_ an idle connection? Let's say a user logs in via SSH and leaves the session untouched. Idle for 5 minutes? True. Disconnect. But what about this? After logging in, the user starts some program, maybe something like top, mc (Midnight Commander) or pine. Is this also considered idle? Is idle tied to "keystrokes received on the other end", or more like "data send to the client"? Is one sufficient, or are both required, to consider a connection "not idle", therefor not disconnecting it? What about batch processes? Can a user log in, submit a batch job, and then leave, while his batch job starts to run 10 minutes later (and finishes after 30 minutes)? Does the oh so holy specification for the glorious certification say anything about it, something you could incorporate into the concept and _then_ come up with an idea for implementation? The only chance to _really_ comply with the "certification rule" and therefor defeat any countermeasures possibly taken by users (tmux, screen, detach et al.) is to disconnect _any_ connection regardless of what the user is doing, killing all additional background processes and "at"-timed commands. Does this stop users from being idle more than 5 minutes? Sure, but it also STOPS THEM FOR DOING ACTUAL WORK, depending on how they use their SSH connections for that! However, the most excellent certification does not take that into mind, so why should you? ;-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...