Ssh – User sessions are not ended

fedorasshsystemd

I recently noticed, that there are around 60 sessions opened on all of my hosts. (loginctl list-sessions)

Details showing up that these sessions are coming from Zabbix Monitoring which is periodically running some scripts to generate statistics.

I could destroy them with loginctl terminate-session. After 24 hours, there are already some sessions again. I then started monitoring these sessions. See this graph:

Details of a session:

loginctl show-session c96339
Id=c96339
User=0
Name=root
Timestamp=Thu 2017-05-04 03:38:28 CEST
TimestampMonotonic=2551128480813
VTNr=0
Remote=no
RemoteUser=zabbix
Service=sudo
Scope=session-c96339.scope
Leader=14070
Audit=0
Type=unspecified
Class=background
Active=yes
State=closing
IdleHint=no
IdleSinceHint=0
IdleSinceHintMonotonic=0

Sometimes, the server is getting very slow and the load average is somewhat over 40. I have to restart the systemd-logind service. After that, everything is ok again.

Does anyone have an idea why I have to restart that service regularly and why the sessions are not automatically destroyed?

System:

Fedora 24 (x86_64)

Kernel: 4.9.12-100.fc24.x86_64

Zabbix Agent: zabbix-agent-3.0.7-1.fc24.x86_64

Systemd: systemd-229-18.fc24.x86_64

Best Answer

You may want to have a look at ClientAliveInterval setting in sshd_config on the server side. With a value different from 0, this should close disconnected sessions after a given amount of time. (see also ClientAliveCountMax)

man sshd_config will give you more informations about these settings.

Related Solutions

Httpd not starting with systemd on F17

Recent versions of Fedora/systemd include a new feature which generates random private directories in /tmp and /var/tmp for individual system services.

This means that there are things you should check:

DO NOT symlink /var/tmp to /tmp or vice versa. These are treated separately and so you'll need to keep them separate.
Ensure that both /var/tmp and /tmp have 1777 permissions.

If this doesn't resolve the problem, you may have found a bug, and should report it.

Debian Systemd – SSH Sessions Hang on Shutdown or Reboot

When you shutdown or reboot your system, systemd tries to stop all services as fast as it can. That involves bringing down the network and terminating all processes that are still alive -- usually in that order. So when systemd kills the forked SSH processes that are handling your SSH sessions, the network connection is already disabled and they have no way of closing the client connection gracefully.

Your first thought might be to just kill all SSH processes as the first step during shutdown, and there are quite a few systemd service files out there that do just that.

But there is of course a neater solution (how it's "supposed" to be done): systemd-logind.
systemd-logind keeps track of active user sessions (local and SSH ones) and assigns all processes spawned within them to so-called "slices". That way, when the system is shut down, systemd can just SIGTERM everything inside the user slices (which includes the forked SSH process that's handing a particular session) and then continue shutting down services and the network.

systemd-logind requires a PAM module to get notified of new user sessions and you'll need dbus to use loginctl to check its status, so install both of those:

apt-get install libpam-systemd dbus

Be sure your /etc/ssh/sshd_config is actually going to use the module with UsePAM yes.

Best Answer

Related Solutions

Httpd not starting with systemd on F17

Debian Systemd – SSH Sessions Hang on Shutdown or Reboot

Related Topic