Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Management users are not disconnected from the Telnet/SSH session even after 1 hour of idle time

0

0

Article ID: KB20967 KB Last Updated: 24 Feb 2020Version: 4.0
Summary:
Management users are not disconnected from the Telnet/SSH session even after 1 hour of idle time.
Symptoms:
A management user is idle for more than one hour and is not disconnected.  They user is still reported via the command:  show system users.

Since this is a TCP session and the device has a default timeout of 30 min, why do I still see the user connected?
Solution:
The device never automatically disconnects the management users; this is the default behavior. This is because the idle timeout is disabled by default.

To validate the current setting, use the following command :
root@router>show cli
CLI complete-on-space set to on

CLI idle-timeout disabled

If you want the users to disconnect after some time, configure the idle timeout according to your requirements using the following command:

root@router> set cli idle-timeout ?
Possible completions:
<timeout> Maximum idle time (0..100000 minutes)

Use the command show cli to validate the setting.

Example:
In this example the idle timeout is set to 60 minutes.
root@router> set cli idle-timeout 60
Idle timeout set to 60 minutes

root@router> show cli
CLI complete-on-space set to on
CLI idle-timeout set to 60 minutes

root@router% exit

 
When you login to the device you will see the idle-time is disabled.
 
root@router> run show cli
CLI complete-on-space set to on
CLI idle-timeout disabled

NOTE: These changes are lost after a reboot OR when the user that has configured the same logs out. 


If you want the users to logout on their own and have the changes saved after a reboot, create a custom class and call the idle-timeout in that class.

Example:
[edit system login]
root# show
class test {
    idle-timeout 1;
    permissions all;
}
user user {
    uid 2006;
    class test;
    authentication {
        encrypted-password "$ABC123"; ## SECRET-DATA
    }
}

When you login as user, you will always see the idle timeout as 1 min.
user@juniper> show cli
CLI complete-on-space set to on
CLI idle-timeout set to 1 minute
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search