Bug 2022064

Summary: [RFE] Implement a mechanism to disconnect idle users
Product: Red Hat Enterprise Linux 8 Reporter: Gabriel Gaspar Becker <ggasparb>
Component: opensshAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.6CC: ccheney, jjelen, mhavrila, tsorense, vpolasek
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-08 12:27:48 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gabriel Gaspar Becker 2021-11-10 16:47:38 UTC 
Description of problem:

Many security policies have a security requirement related to disconnect idle users from remote connections. So far, this requirement has been fulfilled by misusing the ClientAliveInterval and ClientAliveCountMax options by setting ClientAliveCountMax to zero. Newer version of openssh dropped completely this undocumented behavior and currently there is no other alternative to fulfill the requirement.

This RFE is to add such mechanism where idle users are automatically disconnected from the remote connection after a certain predefined time.

Related BZs: 
https://bugzilla.redhat.com/show_bug.cgi?id=2015828
https://bugzilla.redhat.com/show_bug.cgi?id=1873547
Comment 2 Dmitry Belyavskiy 2021-11-11 10:25:52 UTC 
Upstream suggests some sort of workaround for this issue. Gabriel, would you mind to try it?
Comment 3 Gabriel Gaspar Becker 2021-11-11 10:37:46 UTC 
(In reply to Dmitry Belyavskiy from comment #2)
> Upstream suggests some sort of workaround for this issue. Gabriel, would you
> mind to try it?

I've provided a reply with our findings about TMOUT usage in OpenSSH Project 3362.
Comment 4 Tom Sorensen 2022-03-29 17:21:31 UTC 
Since the upstream has removed the ClientAliveCountMax/ClientAliveInterval de facto method which worked for most use cases, and this is needed for STIG/PCI DSS compliance, what is our plan to help support our customers with their compliance requirements in RHEL 8.6+ and 9?