Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2022064

Summary: [RFE] Implement a mechanism to disconnect idle users
Product: Red Hat Enterprise Linux 8 Reporter: Gabriel Gaspar Becker <ggasparb>
Component: opensshAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.6CC: ccheney, jjelen, mhavrila, tsorense, vpolasek
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-08 12:27:48 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gabriel Gaspar Becker 2021-11-10 16:47:38 UTC 
Description of problem:

Many security policies have a security requirement related to disconnect idle users from remote connections. So far, this requirement has been fulfilled by misusing the ClientAliveInterval and ClientAliveCountMax options by setting ClientAliveCountMax to zero. Newer version of openssh dropped completely this undocumented behavior and currently there is no other alternative to fulfill the requirement.

This RFE is to add such mechanism where idle users are automatically disconnected from the remote connection after a certain predefined time.

Related BZs: 
https://bugzilla.redhat.com/show_bug.cgi?id=2015828
https://bugzilla.redhat.com/show_bug.cgi?id=1873547
Comment 2 Dmitry Belyavskiy 2021-11-11 10:25:52 UTC 
Upstream suggests some sort of workaround for this issue. Gabriel, would you mind to try it?
Comment 3 Gabriel Gaspar Becker 2021-11-11 10:37:46 UTC 
(In reply to Dmitry Belyavskiy from comment #2)
> Upstream suggests some sort of workaround for this issue. Gabriel, would you
> mind to try it?

I've provided a reply with our findings about TMOUT usage in OpenSSH Project 3362.
Comment 4 Tom Sorensen 2022-03-29 17:21:31 UTC 
Since the upstream has removed the ClientAliveCountMax/ClientAliveInterval de facto method which worked for most use cases, and this is needed for STIG/PCI DSS compliance, what is our plan to help support our customers with their compliance requirements in RHEL 8.6+ and 9?