Secure Session Logout - Cisco ASR 5000 Administration Manual
Staros release 21.1
Hide thumbs
Also See for ASR 5000:
- Installation manual (294 pages) ,
- Administration manual (159 pages) ,
- Installation procedure (8 pages)
Table of Contents
Advertisement
Secure Session Logout
• User tries to login with local context username through local context (VPN) interface with authorized-key
• User tries to login with non-local context username through non-local context interface with
• User tries to login with local context username through non-local context interface with authorized-key
• User tries to login with non-local context username through local context interface with authorized-key
A failure to authenticate based on the current system configuration prevents the login and generates an error
message.
StarOS does not permit users with different user IDs but having the same public SSH key to login to an
unauthorized context. Authentication of the user takes into account the authorized-key/user-account pairing.
Important
Secure Session Logout
When StarOS is disconnected from an SSH client, the default behavior has sshd terminate the CLI or SFTP
session in about 45 seconds (using default parameters). Two SSH Configuration mode CLI commands allow
you to disable or modify this default sshd disconnect behavior.
Important
The client-active-countmax command sets the number of client-alive messages which may be sent without
sshd receiving any messages back from the SSH client (default =3). If this threshold is reached while the
client-alive messages are being sent, sshd disconnects the SSH client thus terminating the session.
The client-alive-interval command sets a timeout interval in seconds (default = 15) after which if no data
has been received from the SSH client, sshd sends a message through the encrypted channel to request a
response from the client. The number of times that the message is sent is determined by the
client-alive-countmax parameter. The approximate amount of time before sshd disconnects an SSH client
disconnect = client-alive-countmax X client-alive-interval.
The client-alive mechanism is valuable when the client or server depend on knowing when a connection has
become inactive.
Important
ASR 5000 System Administration Guide, StarOS Release 21.1
32
configured on local context.
authorized-key configured on non-local context.
configured on local context.
configured on non-local context.
For StarOS release 21.0 onwards, a user cannot access the /flash directory if the user logs in from a
non-local context.
For higher security, Cisco recommends at least a client-alive-countmax of 2 and client-alive-interval of
5. Smaller session logout values may lead to occasional ssh session logouts. Adjust values to balance
security and user friendliness.
The client-alive messages are sent through the encrypted channel and, therefore, are not spoofable.
Getting Started
Advertisement
Table of Contents
Troubleshooting
