Table of Contents

How to prevent SSH session timeouts

SSH connections that drop after a short period of inactivity interrupt long-running tasks, file transfers, and monitoring sessions. Frequent idle disconnections increase the risk of half-finished deployments and force repeated logins on busy systems.

The OpenSSH stack controls idle behaviour using server-side options such as TCPKeepAlive, ClientAliveInterval, and ClientAliveCountMax in /etc/ssh/sshd_config and client-side options such as ServerAliveInterval in /etc/ssh/ssh_config or ~/.ssh/config. Adjusting these timers changes how long an idle session is allowed to stay open and how aggressively unreachable peers are cleaned up.

Raising keepalive intervals and counters can keep sessions stable through temporary network issues, stateful firewalls, or VPN timeouts, but very long-lived sessions may conflict with security policies on shared servers. Server-side changes require administrative access and affect every user, whereas client-side keepalives apply only to the local user configuration and are safer when policy is unknown.

Related: How to enable SSH client keepalive
Related: How to configure the log level for an SSH server

Steps to prevent SSH session timeouts:

Methods to prevent SSH connection timeout:

Avoid SSH timeout from the server

On the server side, idle SSH sessions stay active longer by tuning TCPKeepAlive, ClientAliveInterval, and ClientAliveCountMax in /etc/ssh/sshd_config. These settings define how often sshd probes connected clients and how many unanswered probes are tolerated before the session is dropped.

  1. Open a terminal on the SSH server. 
    $ whoami
user
  2. Open the server /etc/ssh/sshd_config file in a text editor. 
    $ sudo vi /etc/ssh/sshd_config
  3. Set TCPKeepAlive to no to disable kernel TCP keepalive probes and rely on encrypted keepalives from sshd. 
    TCPKeepAlive no
    TCPKeepAlive
        Specifies whether the system should send TCP keepalive messages to the other side.  If they are sent, death of the
        connection or crash of one of the machines will be properly noticed.  However, this means that connections will die
        if the route is down temporarily.
##### snipped #####
  4. Set ClientAliveInterval to an interval in seconds such as 30 to send encrypted keepalive messages periodically. 
    ClientAliveInterval 30
    ClientAliveInterval
        Sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a
        message through the encrypted channel to request a response from the client.
  5. Set ClientAliveCountMax to a higher value such as 240 so unresponsive clients are disconnected only after extended inactivity. 
    ClientAliveCountMax 240
    ClientAliveCountMax
        Sets the number of client alive messages which may be sent without sshd receiving any messages back from the client.
        If this threshold is reached while client alive messages are being sent, sshd will disconnect the client.
  6. Save the changes in /etc/ssh/sshd_config.

    Large ClientAliveCountMax values keep idle sessions connected for a long time, which may violate security policies on multi-user servers.

  7. Exit the text editor.
  8. Validate the sshd configuration syntax before restarting the service. 
    $ sudo sshd -t

    Syntax errors in /etc/ssh/sshd_config prevent sshd from starting and can block remote logins.

    Related: How to test SSH server configuration

  9. Restart the ssh service so the new timeout settings take effect. 
    $ sudo systemctl restart ssh

    Related: How to manage the SSH server service with systemctl in Linux

  10. Confirm that ssh is active after the restart. 
    $ sudo systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/usr/lib/systemd/system/ssh.service; enabled; preset: enabled)
     Active: active (running) since Sun 2026-01-11 05:11:11 +08; 140ms ago
TriggeredBy: ● ssh.socket
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 13794 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 13795 (sshd)
      Tasks: 1 (limit: 4546)
     Memory: 2.7M (peak: 3.5M)
        CPU: 32ms
     CGroup: /system.slice/ssh.service
             └─13795 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
##### snipped #####
  11. Verify that an idle SSH session remains connected longer than before by leaving it open without input. 
    $ ssh user@host.example.net hostname
host

Avoid SSH timeout from the client

When server-side changes are not possible, the SSH client sends periodic keepalive messages with ServerAliveInterval to keep idle sessions visible to the server and intermediate firewalls.

  1. Open the SSH client configuration file for the current user. 
    $ vi ~/.ssh/config

    Edit /etc/ssh/ssh_config instead of ~/.ssh/config to apply the option to all users on the system.

  2. Add or adjust a host block with a suitable ServerAliveInterval value such as 30 seconds. 
    Host example
    HostName example.com
    ServerAliveInterval 30
  3. Save the client configuration file.

    Very short intervals on many clients can generate unnecessary background traffic on constrained links.

  4. Alternatively, specify ServerAliveInterval directly on the SSH command line for ad hoc connections. 
    $ ssh -o ServerAliveInterval=30 user@host.example.net hostname
host
  5. Confirm that the server now keeps the idle session active for the configured time by leaving the connection open without input. 
    $ ssh -o ServerAliveInterval=30 user@host.example.net hostname
host