Server-Side SSH Timeout Settings with host_access_control

By | May 31, 2020

As part of the process to get an Exadata rack ready for running 19c databases, many clusters have to go through an upgrade from Oracle Linux 6 to Oracle Linux 7.  As part of that upgrade, Oracle took the opportunity to make several configuration changes for security purposes.  One of those changes relates to the SSH shell and idle timeout values.

Oracle cites the STIG (Security Technical Implementation Guides) as the reasoning for making the changes, which drop the client idle timeout down from 24 hours to 10 minutes.  The implication of this change is that SSH sessions will drop after 10 minutes of idle time, even if they are actively running applications.  I've had issues with this after an upgrade, particularly when running datapatch or closing the compute node upgrade with dbnodeupdate.sh.

Zed Anwar has a really good post on one way to circumvent this from the client side, but this can sometimes be difficult to manage with a client-based solution.  For environments that don't require the 10 minute timeout, I will frequently move the idle timeout up to an hour (3,600 seconds).

The problem with making this type of change is that updating configuration files individually is not a good way to go about making changes.  Rather than modifying configuration files, Oracle offers the /opt/oracle.cellos/host_access_control script, which has many uses for changing the security settings on an Exadata host.  In this case, the timeout settings are configured using the "idle-timeout" command.  Current values can be seen by running host_access_control with the --status or -s flag:

[root@dm01db01 ~]# /opt/oracle.cellos/host_access_control idle-timeout -s
[INFO] [IMG-SEC-0402] Shell timeout is set to TMOUT=14400
[INFO] [IMG-SEC-0403] SSH client idle timeout is set to ClientAliveInterval 3600

If you want to make changes to the settings, simply add the values for the client idle timeout (-c, --client) or shell idle timeout (-l, --shell).  For example, if I wanted to go back to the default settings from Oracle Linux 6, I would enter the following:

[root@dm01db01 ~]# /opt/oracle.cellos/host_access_control idle-timeout -l 14400 -c 86400
[INFO] [IMG-SEC-0403] SSH client idle timeout is set to 86400
[INFO] [IMG-SEC-0A02] SSHD Service restarted. Changes in effect for new connections.
[INFO] [IMG-SEC-0404] Shell timeout set to 14400

There you go - changes have been staged and the SSHD service was restarted.  Another nice thing about using host_access_control is that it allows you to make changes across the entire cluster via dcli, removing the need to log in to each host:

[root@dm01db01 ~]# dcli -l root -g ~/dbs_group /opt/oracle.cellos/host_access_control idle-timeout -l 14400 -c 86400
dm01db01: [INFO] [IMG-SEC-0403] SSH client idle timeout is set to 86400
dm01db01: [INFO] [IMG-SEC-0A02] SSHD Service restarted. Changes in effect for new connections.
dm01db01: [INFO] [IMG-SEC-0404] Shell timeout set to 14400
dm01db02: [INFO] [IMG-SEC-0403] SSH client idle timeout is set to 86400
dm01db02: [INFO] [IMG-SEC-0A02] SSHD Service restarted. Changes in effect for new connections.
dm01db02: [INFO] [IMG-SEC-0404] Shell timeout set to 14400

Leave a Reply

Your email address will not be published.