RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2022064 - [RFE] Implement a mechanism to disconnect idle users
Summary: [RFE] Implement a mechanism to disconnect idle users
Keywords:
Status: CLOSED DUPLICATE of bug 2100464
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: openssh
Version: 8.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Dmitry Belyavskiy
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-10 16:47 UTC by Gabriel Gaspar Becker
Modified: 2022-12-31 00:17 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-09-08 12:27:48 UTC
Type: Feature Request
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenSSH Project 3362 0 None None None 2021-11-11 10:25:52 UTC
Red Hat Issue Tracker CRYPTO-7282 0 None None None 2022-05-20 22:24:23 UTC
Red Hat Issue Tracker RHELPLAN-102440 0 None None None 2021-11-10 20:44:52 UTC

Description Gabriel Gaspar Becker 2021-11-10 16:47:38 UTC 
Description of problem:

Many security policies have a security requirement related to disconnect idle users from remote connections. So far, this requirement has been fulfilled by misusing the ClientAliveInterval and ClientAliveCountMax options by setting ClientAliveCountMax to zero. Newer version of openssh dropped completely this undocumented behavior and currently there is no other alternative to fulfill the requirement.

This RFE is to add such mechanism where idle users are automatically disconnected from the remote connection after a certain predefined time.

Related BZs: 
https://bugzilla.redhat.com/show_bug.cgi?id=2015828
https://bugzilla.redhat.com/show_bug.cgi?id=1873547
Comment 2 Dmitry Belyavskiy 2021-11-11 10:25:52 UTC 
Upstream suggests some sort of workaround for this issue. Gabriel, would you mind to try it?
Comment 3 Gabriel Gaspar Becker 2021-11-11 10:37:46 UTC 
(In reply to Dmitry Belyavskiy from comment #2)
> Upstream suggests some sort of workaround for this issue. Gabriel, would you
> mind to try it?

I've provided a reply with our findings about TMOUT usage in OpenSSH Project 3362.
Comment 4 Tom Sorensen 2022-03-29 17:21:31 UTC 
Since the upstream has removed the ClientAliveCountMax/ClientAliveInterval de facto method which worked for most use cases, and this is needed for STIG/PCI DSS compliance, what is our plan to help support our customers with their compliance requirements in RHEL 8.6+ and 9?
Note You need to log in before you can comment on or make changes to this bug.