Friday, May 28, 2010

How to configure SSH session timeout in Checkpoint NG/NGX??


Ever got swearing when in the middle of fw monitor / debug session you got abruptly thrown on session timeout ?? Me too. While thinking naively ssh timeout is managed by sshd/ssh configs I was suprised to know CP did it their way.
Turned out here we get definitions for interactive session : cat /etc/bashrc
# By default, log out the user after three minutes of unattended prompt
export TMOUT=180
export SHELL=/bin/bash
# Take into account idle setting of cpshell, if available
if [ -f /etc/cpshell/cpshell.state ]; then
idle=`grep idle /etc/cpshell/cpshell.state | sed s/idle=//`
if [ $idle"UNDEFINED" = "UNDEFINED" ]; then
idle=3
fi
export TMOUT=`expr $idle \* 60`
fi
So to change the default timeout for ssh session you can:
1) Set idle variable in /etc/cpshell/cpshell.state to be later multiplied
cat /etc/cpshell/cpshell.state
audit=100
idle=100
scroll=1
2) Change last export directly to whatever you wish:
export TMOUT=7000 ; in seconds
I personally when working on client's firewall am setting it manually when long debug session is expected:
[Expert@cp]# TMOUT=700
[Expert@cp]# export TMOUT

No comments: