Page MenuHomeVyOS Platform
Create Task
Maniphest T5369

System login timeout doesnt work as expected
Open, NormalPublicBUG
Actions

Description

I have set following to automatically logout and disconnect any user connected through console or ssh after 10 minutes of inactivity:

set system login timeout 600

However the above doesnt work as expected (or Im perhaps missing some configuration?).

Login timeout doesnt work when user is in "sudo bash" doing nothing, "sudo bash" running htop or as regular user running "monitor bandwidth interface *". Basically anything that renders a screen update invalidates the timeout timer (as it seems).

However login as regular user and then doing nothing will fire the timeout and user will be logged out from ssh after 10 minutes of inactivity as expected:

vyos@vyos:~$ timed out waiting for input: auto-logout

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202307161346
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Security vulnerability

Event Timeline

Apachez created this task.Jul 19 2023, 5:56 PM
pasik added a subscriber: pasik.Jul 19 2023, 7:45 PM
Viacheslav added a subscriber: Viacheslav.Jul 20 2023, 10:49 AM

Actualy is just exports TMOUT option per login

Apachez added a comment.EditedJul 20 2023, 11:27 AM

I think this feature must then be modified with:

  1. Add TMOUT also for the root-user (I assume this would fix the case of when vyos user have runned "sudo bash" and left the screen/console?).
  1. Add following to /etc/ssh/sshd_config
ClientAliveInterval <seconds>
ClientAliveCountMax 1

Ref1: https://ostechnix.com/auto-logout-inactive-users-period-time-linux/

Ref2: https://linuxhandbook.com/auto-logout-linux/

Apachez added a comment.EditedJul 22 2023, 11:34 PM

My proposal after some testing:

  1. Delete file /etc/profile.d/autologout.sh
  1. Add these lines to the bottom of /etc/bash.bashrc
TMOUT=<seconds>
readonly TMOUT
export TMOUT

This way the timeout will occur for both regular users AND root user.

Testing:

Verified with the bash.bashrc changes (note the double timeout when user runs "sudo bash" because first the timeout triggers for root and then for the regular user which means if you use for example timeout 600 seconds when the user is logged as regular user who have elevated to root through "sudo bash" it will take 2x600 seconds before the user is kicked out of inactivity):

Regular user:

vyos@vyos:~$ timed out waiting for input: auto-logout
Connection to 192.168.56.2 closed.

Regular user who have elevated through "sudo bash":

root@vyos:/home/vyos# 
timed out waiting for input: auto-logout
vyos@vyos:~$ timed out waiting for input: auto-logout
Connection to 192.168.56.2 closed.

Note:

I did try these lines by altering /usr/share/vyos/templates/ssh/sshd_config.j2 (and rebooting system and verifying that it picked up the values in /run/sshd/sshd_config):

ClientAliveInterval <seconds>
ClientAliveCountMax 1

but it failed to have any effect by configuring these - perhaps somebody else have a better luck?

The idea would be to get rid of the double timeout an elevated root user gets.

syncer triaged this task as Normal priority.Jul 22 2023, 11:56 PM
syncer moved this task from Need Triage to Backlog on the VyOS 1.4 Sagitta board.
c-po added a subscriber: c-po.Sat, Apr 13, 10:46 AM

There is also an inactivity timer in systemd-logind, but this will log you out even while running e.g. htop and just watching - I wonder if that's the preferred way :/