archive mirror
 help / color / mirror / Atom feed
From: "Andrew Jeffery" <>
To: "Joseph Reynolds" <>,
	openbmc <>
Subject: Re: Add SSH session idle timeouts
Date: Tue, 10 Aug 2021 09:04:43 +0930	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

Hi Joseph,

On Tue, 10 Aug 2021, at 00:32, Joseph Reynolds wrote:

> [NIST SP800-63B][] requires a timeout of 30 minutes for "assurance 
> level 
> 2" (high confidence that the authentication is still valid), or 15 
> minutes for "assurance level 2" (very high confidence).

You've listed "assurance level 2" here twice; I assume the level increases.

> Idle session timeouts can technically be implemented one one of three 
> places:
> 1. In the communication layer, for example, the SSH client session can 
> timeout.
> 2. In the application.  For example, the Bash shell TMOUT variable.
> 3. In a layer between the interface and the application.  For example, 
> the "screen" application can provide a timeout function.
> For example, suppose you want your host console sessions (ssh -p 2200) 
> to time out and close the session.  OpenSSH does not offer an session 
> idle timeout, and [obmc-console][] does not offer a timeout, so how can 
> we provide this function?  One idea is to have the SSH server for port 
> 2200 connect to an application like "screen", set its TMOUT variable, 
> and connect that to the console socket.  Or can we add timeout support 
> directly to obmc-console?
> [obmc console]:

Right, let's not be allergic to touching the code for these projects.

obmc-console is an OpenBMC application, and both OpenSSH and dropbear 
are open-source, so if we need to make changes in any then we have a 
path forward.

Whether that's appropriate is a separate question, but let's not create 
a maze unnecessarily.


      reply	other threads:[~2021-08-09 23:36 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-09 15:02 Joseph Reynolds
2021-08-09 23:34 ` Andrew Jeffery [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \
    --subject='Re: Add SSH session idle timeouts' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).