Bug 2122288

Summary: RFE: mechanism and logind.conf option to terminate idle sessions
Product: Red Hat Enterprise Linux 8 Reporter: Marek Haicman <mhaicman>
Component: systemdAssignee: Michal Sekletar <msekleta>
Status: CLOSED ERRATA QA Contact: Frantisek Sumsal <fsumsal>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: ---CC: jgamba, msekleta, peter.vreman, systemd-maint-list, toneata
Target Milestone: rcKeywords: FutureFeature, Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: systemd-239-68.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2125264 (view as bug list) Environment:
Last Closed: 2022-11-08 10:49:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2125264    

Description Marek Haicman 2022-08-29 17:45:06 UTC 
This bug was initially created as a copy of Bug #2100464

I am copying this bug because: 
We need the same update of the RHEL 8(.6). The functionality of has been lost there too, which negatively affects how secured the system can be.


Description of problem:

The Common Criteria OSPP SFR

  https://www.niap-ccevs.org/MMO/PP/-442-/#FMT_SMF_EXT.1.1

has as one of the security functions that the product should support session timeout. Other security policies have similar requirements.

In the past, a de facto solution was to use sshd's ClientAliveInterval and ClientAliveCountMax options. However, those options were never intended for this purpose, and on RHEL 9 with openssh rebase their behaviour has changed to the extend that it cannot be reliably used for sessions timeouts.

At the same time, systemd-logind has a notion of sessions (and not just for remote connections), and it already has some logic for handling idle sessions. Unfortunately, the IdleAction and IdleActionSec options from /etc/systemd/logind.conf deal with the whole system's status, it does not have the per-session granularity or ability to terminate idle session.

We'd like the systemd-logind's functionality to be extended with logind.conf's option SessionIdleTerminateSec (or similar name) which would set per-session idle accounting and termination of sessions idle for more then the set limit.

Version-Release number of selected component (if applicable):

systemd-250-6.el9_0.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Try to setup session timeout on RHEL where idle sessions would be terminated but the system as whole would keep running.

Actual results:

It is currently not possible.

Expected results:

It should be possible for example by adding

  SessionIdleTerminateSec=10min

to /etc/systemd/logind.conf

Additional info:
Comment 7 Plumber Bot 2022-09-26 12:55:26 UTC 
fix merged to github rhel-8.7.0 branch -> https://github.com/redhat-plumbers/systemd-rhel8/pull/332
Comment 13 errata-xmlrpc 2022-11-08 10:49:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (systemd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7727