I am running an Ubuntu Virtual server at a remote location, and several people have SSH access to the server for reasons of web-dev and other various things. When I setup the server I set various parameters including 'TMOUT=1800', causing all SSH sessions to be terminated after 30 minutes of inactivity.
One of my web-developers is constantly asking me to turn off the timeout because he 'keeps getting logged out of the server' and does not like having to enter in his password every 30 minutes.
I enabled the timeout for security reasons, as to not allow SSH sessions to stay open for periods of time that are longer then needed, as it is an open connection to the server with root access.
The developer is arguing with me that it is perfectly okay to leave the connection open all the time, which I imagine is not a good thing.
Should I turn the SSH Timeout off (is it okay to leave open inactive SSH connections)? Or should I tell him to deal with it? Reasoning?
Best Answer
I don't believe that leaving the connection open is any more of a risk than having SSH available in the first place.
If anything, one might argue that repeated connections represented more of a risk. But that is highly theoretical based on possible sniffing of the connection attempts over the network.
The more realistic main risk from leaving the connection open is the possibility that the client PC might be compromised whilst the connection is open. So it would be sensible to set the timeout to a reasonable period such as 4, 8 or 12 hours depending on the usage patterns and the sensitivity of the data on the host system.
4 hours allows for a normal 1/2 day's work. 8 hours a nominal days work and 12 hours for a more realistic elapsed day's work. On a remote connection service that I'm currently helping to specify, I've just asked for remote connections to be kept open for 12 rather than 8 hours in order to match a more normal working elapsed day. I really don't see this as much of an increased risk since the client PC's auto-lock after 5 minutes of inactivity and there is a standing instruction to manually lock the PC when moving away from the desk.