Problem: In some situations, sshd does not terminate when client connections drop, even if KeepAlives are turned on. "w" shows ghost users, and open processes (sshd and running programs) consume system resources until manually killed. System: i386, RH7, openssh-server-2.3.0p1-4, kernel 2.2.17 Details: Observed primarily when the ssh client is behind a masquerading firewall. When the client was idle for a period of time, the firewall would timeout the connection, leading the client to recognize a dropped connection (when a key was finally pressed). However, the sshd process that was spawned did not terminate, even after several hours. KeepAlives are turned on. This was repeatable for my configuration. (Linux server at home on DSL, laptop client at work behind firewall.) This was also observed when an ssh client from a machine with a real IP address was suddenly disconnected. (Cable unplugged and machine turned off.) "w" displayed a user idle over 24 hours, well past the tcp keepalive window of 2 hours. Of note, the non-open version of sshd used previously (from ssh.com) has an "IdleTimeout" configuration directive that would terminate connection after a period of nonuse. That directive and functionality appears deprecated (or never included) in openssh. It would be an effective workaround to the bug described above, as it would recognize no user activity, even if the TCP keepalive was not functioning correctly for some reason. Separately, IdleTimeout would be a great feature to have back (as an option for those system administrators that want it) and should perhaps be added as a feature request separate from this bug report.
I can't reproduce this with openssh server in the current Fedora Core.