SSH clients will automatically be disconnected from the server after being idle or inactive for a while.
The client will be prompted the following error message upon disconnection:
user@host:~$ Connection to example.com closed by remote host. Connection to example.com closed.
This is due to the
SSH servers' configuration - often by default - to avoid hanging sessions and free up resources.
You can prevent
SSH connection timeout both from the server and client side.
If you have administrative access to the
SSH server, you can configure it so that it will not disconnect idle sessions. This could be achieved by setting the appropriate parameters for
ClientAliveCountMax on the server as per the following steps:
SSHd configuration file using your favorite editor.
$ sudo vi /etc/ssh/sshd_config
TCPKeepAlive no ClientAliveInterval 30 ClientAliveCountMax 240
What it basically means is that the server will not send the
alive packet to check if the client's connection is working, yet will still send the encrypted
alive message every 30 seconds. It will only disconnect after at least 2 hours of inactivity.
The following is the full explanation for the options;
TCPKeepAlive Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. However, this means that connections will die if the route is down temporarily, and some people find it annoying. On the other hand, if TCP keepalives are not sent, sessions may hang indefinitely on the server, leaving “ghost” users and consuming server resources. The default is “yes” (to send TCP keepalive messages), and the server will notice if the network goes down or the client host crashes. This avoids infinitely hanging sessions. To disable TCP keepalive messages, the value should be set to “no”. This option was formerly called KeepAlive. ClientAliveCountMax Sets the number of client alive messages (see below) which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive (below). The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valu‐ able when the client or server depend on knowing when a connection has become inactive. The default value is 3. If ClientAliveInterval (see below) is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. This option applies to pro‐ tocol version 2 only. ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. This option applies to protocol version 2 only.
If you don't have administrative access to the server, you can configure your
SSH client to send the
alive message to the server instead to achieve the same result. This is done via the
ServerAliveInterval option for the
You can do this by updating
/etc/ssh/ssh_config (applying the setting to every user in the system) or in
~/.ssh/config (single user). Set the following option to have the client send the
alive packet every 30 seconds to the server;
The other alternative is to manually set the
ServerAliveInterval option every time you're connecting to a server by using the
-o ServerAliveInterval=<time-in-second> prefix as the following example;
$ ssh -o ServerAliveInterval=30 firstname.lastname@example.org
This course is made for Linux admins who seek to secure their Linux work environment by mastering Linux SSH security!
Written by Mohd Shakir Zakaria.
Last updated on 2019-03-26.