openbmc.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed
From: "Andrew Jeffery" <andrew@aj.id.au>
To: "Joseph Reynolds" <jrey@linux.ibm.com>,
	openbmc <openbmc@lists.ozlabs.org>
Subject: Re: Add SSH session idle timeouts
Date: Tue, 10 Aug 2021 09:04:43 +0930	[thread overview]
Message-ID: <794d30f1-42b8-49dd-a192-e7bdc6dc1dd0@www.fastmail.com> (raw)
In-Reply-To: <a08ced6c-9213-c05d-a5af-105ffa5f3b26@linux.ibm.com>

Hi Joseph,

On Tue, 10 Aug 2021, at 00:32, Joseph Reynolds wrote:

> [NIST SP800-63B][] requires a timeout of 30 minutes for "assurance 
> level 
> 2" (high confidence that the authentication is still valid), or 15 
> minutes for "assurance level 2" (very high confidence).

You've listed "assurance level 2" here twice; I assume the level increases.

> 
> Idle session timeouts can technically be implemented one one of three 
> places:
> 1. In the communication layer, for example, the SSH client session can 
> timeout.
> 2. In the application.  For example, the Bash shell TMOUT variable.
> 3. In a layer between the interface and the application.  For example, 
> the "screen" application can provide a timeout function.
> 
> For example, suppose you want your host console sessions (ssh -p 2200) 
> to time out and close the session.  OpenSSH does not offer an session 
> idle timeout, and [obmc-console][] does not offer a timeout, so how can 
> we provide this function?  One idea is to have the SSH server for port 
> 2200 connect to an application like "screen", set its TMOUT variable, 
> and connect that to the console socket.  Or can we add timeout support 
> directly to obmc-console?
> [obmc console]: https://github.com/openbmc/obmc-console

Right, let's not be allergic to touching the code for these projects.

obmc-console is an OpenBMC application, and both OpenSSH and dropbear 
are open-source, so if we need to make changes in any then we have a 
path forward.

Whether that's appropriate is a separate question, but let's not create 
a maze unnecessarily.

Andrew

      reply	other threads:[~2021-08-09 23:36 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-09 15:02 Joseph Reynolds
2021-08-09 23:34 ` Andrew Jeffery [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=794d30f1-42b8-49dd-a192-e7bdc6dc1dd0@www.fastmail.com \
    --to=andrew@aj.id.au \
    --cc=jrey@linux.ibm.com \
    --cc=openbmc@lists.ozlabs.org \
    --subject='Re: Add SSH session idle timeouts' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).