5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored)

Level 1 - Server
Level 1 - Workstation 

The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time.

Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening.. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent.

Run the following commands and verify ClientAliveInterval is 300 or less and ClientAliveCountMax is 3 or less:

# grep "^ClientAliveInterval" /etc/ssh/sshd_config 
ClientAliveInterval 300 
# grep "^ClientAliveCountMax" /etc/ssh/sshd_config 
ClientAliveCountMax 0

Edit the /etc/ssh/sshd_config file to set the parameter as follows:

ClientAliveInterval 300 
ClientAliveCountMax 0