How to enable SSH login session timeout on Aria product appliances
search cancel

How to enable SSH login session timeout on Aria product appliances

book

Article ID: 417913

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

Users may observe that the SSH session timeout settings (ClientAliveInterval, ClientAliveCountMax) in the /etc/ssh/sshd_config file Aria product appliance appear "greyed out" or are commented out by default.

This article provides the steps to enable and configure these parameters to automatically terminate inactive SSH sessions, which is a standard security hardening practice

Environment

VMware Aria Automation 8.x

VMware Aria Automation Orchestrator 8.x

VMware Identity Manager 3.3.7

VMware Aria Operations 8.x

VMware Aria Operations for Logs 8.x

Cause

The settings ClientAliveInterval and ClientAliveCountMax in /etc/ssh/sshd_config are commented out (prefixed with a #) by default. This configuration disables the automatic SSH session timeout feature, and the system uses its default behavior.

Resolution

Prerequisites

  • You must back up all VMware Aria Automation or Orchestrator appliances, at the same time - simultaneously for all nodes.
  • If you are making the snapshots manually, you must start the snapshots of the second and the third node not more than 40 seconds after you start the snapshots for the first node.
  • If the quiesced state was not achieved for all 3 nodes within the ~40 seconds time frame, the following strings will be found in the logs: "Freeze synchronization failed" and "Sync failed, making inconsistent snapshot". Run the following command from one of the nodes to filter for all vmtoolsd messages:
    • journalctl --identifier=vmtoolsd
  • When you back up the VMware Aria Automation or Orchestrator appliance, disable in-memory snapshots and enable quiescing.

Procedure

To enable and configure the SSH session timeout, you must edit the sshd_config file and restart the sshd service.

  1. Log in to the appliance as root via SSH.
  2. (Recommended) Back up the existing configuration file before making changes: 
    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
  3. Open the SSH configuration file for editing using a text editor, such as vi: 
    vi /etc/ssh/sshd_config
  4. Locate the following lines, which are commented out by default: 
    #ClientAliveInterval 0
#ClientAliveCountMax 3
  5. Uncomment these lines (remove the #) and set them according to your organization's security policy. The total timeout in seconds will be ClientAliveInterval multiplied by ClientAliveCountMax.
    • ClientAliveInterval: The time in seconds the server waits before sending a keep-alive message. Must be a non-zero value to be active.
    • ClientAliveCountMax: The number of keep-alive messages that can be sent without a response before the session is dropped.
  6. For example, to set a 6-minute timeout (360 seconds), you would set the values as follows: 
    ClientAliveInterval 180
ClientAliveCountMax 2
  7. Save the file and exit the editor.
  8. (Recommended) Test the new configuration syntax for errors before restarting the service: 
    sshd -t
  9. If no errors are reported, restart the SSH service to apply the changes: 
    systemctl restart sshd

Additional Information

Warning: It is highly recommended to keep a separate, active SSH session open while performing these changes. A syntax error in the sshd_config file could prevent the sshd service from restarting, which could lock you out of remote SSH access.

These settings are user-configurable to align with specific security hardening policies and are not mandated to a specific value by default.

Powered by Wolken Software