On Tue, Aug 03, 2021 at 05:57:52PM -0500, Joseph Reynolds wrote: > 3. (Joseph): Change the SSH server per-session idle timeout to an hour > (was unlimited)?  (Sent idea to upstream project > yocto-security@yoctoproject.org > .)  Alternatively, update > both SSH and BMCWeb to 30 minutes. Facebook has had this implemented in our BMC for a long time. We use to have to patch SSH but that stopped working and we ended up using the TMOUT variable. Relevant commits are [1,2]. > 1. Guidelines: > 1. NIST SP800-63B requires a timeout of 30 minutes for > "assurance level 2" (high confidence that the authentication > is still valid), or 15 minutes for "assurance level 2" (very > high confidence). > https://pages.nist.gov/800-63-3/sp800-63b.html > > 2. OWASP suggests idle timeouts of 15-30 minutes. > https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration > 15 minutes seems more than enough to me. We have ours set to 5 minutes on the console and 30 minutes on the SSH, but I think those are relatively arbitrary. Ideally whatever you implement can be configured with a Yocto variable so if someone feels your choice is "wrong" they can easily override it in their own machine. > 2. Alternatively, use the bash shell’s TMOUT variable? Whatever you do, I think you need to take into account the serial console as well. Not just SSH. > 3. See Yocto discussion (representative archived email): > https://lists.yoctoproject.org/g/yocto-security/message/381 > I agree with Richard even in the context of OpenBMC itself: > There is never going to be one "right" solution for everyone but > making it easy/clear for users to do it would be ideal (which includes > making it easy for OpenBMC to configure what they need). Whatever you pick someone is going to argue it is wrong. 1. https://github.com/facebook/openbmc/commit/8171ad7183269e3050f7f37b9b3956ce54b0ee87 2. https://github.com/facebook/openbmc/commit/59d7b23a9c2aa08efde19f913df446a82e1f6804 -- Patrick Williams