Is it insecure to leave open an SSH connection?

4

2

I am running an Ubuntu Virtual server at a remote location, and several people have SSH access to the server for reasons of web-dev and other various things. When I setup the server I set various parameters including 'TMOUT=1800', causing all SSH sessions to be terminated after 30 minutes of inactivity.

One of my web-developers is constantly asking me to turn off the timeout because he 'keeps getting logged out of the server' and does not like having to enter in his password every 30 minutes.

I enabled the timeout for security reasons, as to not allow SSH sessions to stay open for periods of time that are longer then needed, as it is an open connection to the server with root access.

The developer is arguing with me that it is perfectly okay to leave the connection open all the time, which I imagine is not a good thing.

Should I turn the SSH Timeout off (is it okay to leave open inactive SSH connections)? Or should I tell him to deal with it? Reasoning?

Matt Clark

Posted 2013-01-23T22:46:32.387

Reputation: 1 819

I know this is a couple of years old but the question remains relevant. My 2 cents: 1) a remote server is not the place to be doing active development; local development (in a VM if platform parity is a concern) -> push to source repo -> deploy and test remote is a better pattern. 2) PCI DSS standard recommends 15 minute timeout. Your dev should thank his lucky stars he gets 30m. 3) the timeout should be "activity" timeout -- if he's doing something in the terminal he shouldn't get forcefully disconnected – JDS – 2017-02-09T17:40:43.650

Why don't you tell your web-developer to set ServerAliveInterval on his machine instead? – terdon – 2013-01-23T22:51:24.300

1Security is not a binary problem. There is no on = good, or off = bad. Security should always be related to the RISKS your system faces, with some considerations for the usability as well. The reason for setting a timeout would be if you are concerned that people might be able to take control of a computer with an active sessions. If you are pretty confident the clients are secure, then the time out is pointless/annoying. Is the data high value, is the system a potential stepping stone into some other extremely critical system? Only you know. – Zoredache – 2013-01-23T22:52:25.050

1For the record I have used SSH, as a VPN, with it left open for a few weeks between a couple systems because I couldn't get my normal VPN software to work through a particularly strict firewall, and the parties responsible for the firewall were not out for a while. The client/server where very secure, the connection was secure. Nothing abut the duration of the session made it insecure. – Zoredache – 2013-01-23T22:57:59.953

I appreciate the response. I guess until something happens, I have no reason to lock it all down. My concern was the possibility of some hijacking of an open session. – Matt Clark – 2013-01-23T22:59:44.163

The reason its not safe is because anyone could walk up to his computer and issue any command they want. The fact its perfectly safe to leave an SSH connection open is not the concern your trying to address by having a timeout. I don't understand his complaint to be honest since there are ways to keep a connection like this alive automatically. – Ramhound – 2013-01-24T01:02:29.410

@MattClark Somewhat off-topic, but it may be worth mentioning that if the server in question has tmux or screen installed (or the developer can install it in their home directory) they could easily save themselves the problem of lost work from session timeouts. This wouldn't solve the issue of having to type in their password, but it's better than nothing. (:

– Jeremy Sandell – 2013-01-24T16:40:16.417

Answers

5

I don't believe that leaving the connection open is any more of a risk than having SSH available in the first place.

If anything, one might argue that repeated connections represented more of a risk. But that is highly theoretical based on possible sniffing of the connection attempts over the network.

The more realistic main risk from leaving the connection open is the possibility that the client PC might be compromised whilst the connection is open. So it would be sensible to set the timeout to a reasonable period such as 4, 8 or 12 hours depending on the usage patterns and the sensitivity of the data on the host system.

4 hours allows for a normal 1/2 day's work. 8 hours a nominal days work and 12 hours for a more realistic elapsed day's work. On a remote connection service that I'm currently helping to specify, I've just asked for remote connections to be kept open for 12 rather than 8 hours in order to match a more normal working elapsed day. I really don't see this as much of an increased risk since the client PC's auto-lock after 5 minutes of inactivity and there is a standing instruction to manually lock the PC when moving away from the desk.

Julian Knight

Posted 2013-01-23T22:46:32.387

Reputation: 13 389

Actually, you have to take into account that longer the connection is opened, greater there's a chance that an attacker have enough time to crack the keys using a brute force attack. That's why there's a re-key mechanism in SSH. So if one chooses to keep SSH connection open long time, he/she must ensure that re-key happens regularly. – Martin Prikryl – 2017-10-30T07:05:07.120

A point Martin, and especially relevant given the recent re-key issue in WPA2. As I said though, these risks are relatively low for normal use. That might be different for high security use where timeouts would certainly be more agressive. – Julian Knight – 2017-11-02T21:16:10.663

1

If the ssh users have ie superuser privileges. Then the question becomes "do the users have a screen lock or other security measure to stop another person from sitting at their computer and accessing their shell?".

It is possible in an open plan office situation to have a co-worker sit at another employee's desk to shut-it-down and inadvertently shutdown the server.

A user with ill-intent could create themselves a user account or change passwords to existing accounts in order to gain access at a later date.

etc... etc...

So yes there are security issues to leaving ssh connections open for long periods of time if the workstation is not secured from non-authorized persons.

I reckon, ask the developer if he is willing to take responsibility for all staff in the company and if any hack attempt is made on any workstation that is left un-attended he would become the sole person responsible for the damage done !?

There is no risk of password snooping or ssh interception as such, by setting the time-out you are protecting the company against insecure workstations and opportunists who would take advantage of non supervised shell with damaging privileges.

user192032

Posted 2013-01-23T22:46:32.387

Reputation:

0

If security is a factor, then no, you should not disable timeouts. A developer's convenience does not outweigh the need for basic security. It is not ok to leave a connection open all the time. Is he sitting at his desk the entire time he is connected? What if he walks away for an hour for lunch and someone sits down and has an open connection?

Keltari

Posted 2013-01-23T22:46:32.387

Reputation: 57 019

Asked: 2013-01-23T22:46:32.387

Viewed: 3 016 times

Active: 2013-01-24T01:25:41.310