Looking at my PAM appliance sessions, I have noticed there are several of them that are spanning a long period of time (days or even weeks). However my idle applet and session timeout is set to two hours. How can this be ?
Regarding login and applet timeout in general, once a user is connected to a target machine - if there is "no keystroke" on the target machine then that should normally trigger applet timeout countdown.
But, between PAM client / PAM / target machine - if there is any activity in the customer network (that can be verified only with tools such as tcpdump) - then it is considered to be active.
Such is the case when, for instance, we are using a device to access other devices using Putty with the keepalive option (e.g. RDP or ssh ot Device A and from Device A do ssh to Device B): the keepalive settings sends packets through the network to prevent putty from closing the connection, so that PAM will see traffic on the network and it will never closes the connection.