Force close active SSH connections after a defined time interval

Linux SSH authentication with Google
December 22, 2017
Show all

Force close active SSH connections after a defined time interval

Kill Active SSH Session

How to kill an active SSH session after a defined time interval ?

 

Every Linux admin has used the idle timeout option  in /etc/ssh/sshd_config  given by the two options, ClientAliveInterval  and ClientAliveCountMax .

I won’t even bother to explain what those meant and how to use them, the internet is full of examples.

But, how about when the user is not idle?

Let’s assume you have the very improbable scenario where you need to limit your users to connect via SSH to a specific duration, e.g. 15 or 30 minutes.

What are the options?

I was surprised, but there’s none already implemented, therefore I started looking for ways of doing this. First thought was to use one of the  following commands, to identify the active sessions:

A little more information with:

Again, little information using last:

What to use from any of the above?

Well, useful information for my scenario are:

  • the username
  • the login time
  • the tty.. could be useful, will see that later
  • the [priv] tells us the user is “sudo”-ed ..
  • the I.P. address

What can be done with this information?

We can create a script to calculate the time from the login and kill the username session based on username or IP (or pts?!). So, let’s see what’s possible:

Using the username, you can kill a session by issuing the command pkill -KILL -u $user . If a user has 2 sessions, one started 1 minute ago and the other one 15 minutes ago, killing the 15 minutes session will kill the 1 minutes session too. So.. this was the 1st “no GO”

Same as the above applies for the IP,  so this is the 2nd “no GO”

Using the pts .. there’s no direct command to kill a specific tty session, however, you can use ps to get more information on that specific tty:

So, we have a PID, an username and session start time (STIME). We can use the above information to calculate the time since the session started, and kill the PID when the time limit is reached.

Is there any other way to achieve the same, in an easier way? Is the above way of interrogating the system correct?

Well, there is! Using the following query:

Elapsed will show you the time passed since the sshd session started, therefore you don’t actually need to calculate this anymore. You also have the PID, the username and the tty.

 

So, let’s put a script together using the above system query

 

Remove “sshd:” and “@” from the output and separate the output in columns:

Now, let’s store the information somehow and let’s see how it looks like:

So, let’s create some variables out of our array elements:

So, now we have the 4 elements of each line as variables.

What you can do:

  • send a message to the tty of every user before killing the session, let’s say with 1 min in advance
  • compare the session time with a predefined timeout value and kill the session when the timeout value is reached
  • set a cron to run at specific time intervals (I tested with 1 min time intervals, but is your choice)

Which information is actually essential from everything? Well, just the timeout interval, the session time and the session PID.

So, let’s put all together, using what we actually need:

Now, save your script in a location, e.g. /opt/my_scripts/

Paste the content of the script and save with :wq  then run crontab -e  and add the following line:

The above will run your script every minute.

P.S.

For a version of the script that will warn the user ~1 minute before the session being killed, check my GitHub repository.

Enjoy!

 

Marin Nedea
Marin Nedea
I'm passionate about open source software and technologies. In my spare time I build simple and functional websites from scratch, using PHP+HTML5+CSS3+MySQL and when I'm bored, I write simple PHP_CLI or bash scripts to play around on my Linux machine.

Leave a Reply

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close