Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 03 May 2013 16:27:15 -0500
From:      Joshua Isom <jrisom@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: sshd - time out idle connections
Message-ID:  <51842BB3.6070501@gmail.com>
In-Reply-To: <13EF2CCE-397D-4456-A553-B331D9314C26@my.gd>
References:  <1698EAB7-4B40-466D-98CB-782E9E494578@my.gd> <5183CEF5.1070604@ssimicro.com> <13EF2CCE-397D-4456-A553-B331D9314C26@my.gd>

next in thread | previous in thread | raw e-mail | index | archive | help
On 5/3/2013 10:05 AM, Fleuriot Damien wrote:
> Thanks for your response Markham,
>
>
> I'm afraid labor law is much too protective here for us to be able to "educate" users in this way;)
>
> Your idea to run a cron job every X minutes has merit though, I'll try and check into that !
>

If labor law's stopping you, what does the law say about 
security/privacy breaches because someone stole a laptop that was still 
connected to your server?

Run a cron job, and kill any ssh process that's lasted longer than five 
minutes, ignore what's being ran.  Also kill any detached process by 
that user.  If you must do something, you probably have sudo rights to 
pause cron.  Why are you allowing ssh if you're not letting it be usable?

I might also look into the annoyance of having a different 
authentication method just for ssh, setting it's pam config to be 
different than other services.  If everything else uses kerberos, have 
ssh just use unix and not kerberos.  It seems like a simple way to 
further limit access.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51842BB3.6070501>