Session timeout leveraging Putty

Document ID : KB000046315
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem:

SSH servers on target devices are configured to drop connections that are inactive for more than the configured time. Before implementing CA PAM, users would connect directly to these target devices using PuTTY. They configured PuTTY to send keep-alive messages every X seconds and that kept their sessions active. But when accessing those devices now through CA PAM using a TCP service running PuTTY with application protocol SSH, the keep-alive messages are not forwarded to the target device by the SSH proxy running on the appliance and the sessions don't stay alive.

When the application protocol is disabled and the SSH proxy is not involved, the CA PAM appliance forwards the keep-alive messages to the target device and the connection stays alive.

 

Cause:

The SSH proxy running on the appliance does not forward the PuTTY keep-alive messages by design. CA PAM has its own session timeout configuration which would be bypassed by these keep-alive messages leading to recorded sessions of indefinite lengths. 

 

Workaround:

If the target devices are accessed exclusively through CA PAM, there is no need to configure the target SSH server to drop inactive connections as CA PAM has a configurable applet timeout parameter with a maximum limit of 48 hrs.

If no session recording is required, the TCP service in CA PAM can be configured with application protocol "Disabled", in which case the SSH proxy on the appliance will be bypassed and the PuTTY keep-alive messages will be forwarded to the SSH server on the target device.