archive mirror
 help / color / mirror / Atom feed
From: Joseph Reynolds <>
To: Jeremy Kerr <>, openbmc <>
Subject: Re: Security Working Group meeting - Wednesday September 18 - results - add idle timeout
Date: Fri, 20 Aug 2021 11:19:58 -0500	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On 8/18/21 7:49 PM, Jeremy Kerr wrote:
> Hi Joseph,
>> 5 How to add session timeouts to host console?
>> See the diagram in the README under
>> <>.
>> We thought obmc-console-client was the right place to implement the
>> timeout mechanism.
> OK, but that diagram doesn't really cover the detail you'd need to base
> such a decision on; there's the ssh server between port 2222 and the
> obmc-console-client program.

Here is my understanding of the code which establishes new connections.  
My knowledge here is limited; please correct me or ad anything I missed.
1. The service to listen at port 2200 ("host console") is here:
2. That service uses systemd service files under:
3. The `obmc-console-ssh@.service` handles each new connection by 
running dropbear which connects the instance to the obmc-console-client 

When a network client reaches TCP port 2200, I understand the flow is:
1. When the obmc-console-ssh.socket gets a new connection, it activates 
an instance of obmc-console-ssh@.service.
2. The obmc-console-ssh instance runs the dropbear program.
3. The dropbear program creates an SSH session which connects the 
network session user to the obmc-console-client program.

Given that flow, I see the following choices for where to enforce an 
idle timeout:
1. Do systemd sockets have a timeout mechanism?  I found controls for 
when the listening socket is idle, but not for a socket handling  
connection instance.  However, my knowledge in this area is very limited.
2. The dropbear SSH server has a session idle timeout mechanism (command 
line parameter: `dropbear ... -I 3600`).
3. Add a new parameter to the obmc-console-client.  See
4. Run a new program between dropbear and obmc-console-client to provide 
the idle timeout, for example, like the`screen` command with TMOUT set 
to the desired timeout.

Of these options, I think the easiest is to have dropbear provide the 
timeout, but note that OpenSSH does not provide an idle session 
timeout.  I believe the right solution is to add a timeout to 
obmc-console-client, as proposed in obmc-console/issues/18.


> [obmc-console-client is just a *really* simple bridge between stdio and
> a unix domain socket. It doesn't own the network socket, nor do any
> authentication or authorisation]
> We can definitely do an optional timeout in obmc-console-client, but I
> want to make sure that's really what you want first.
> Cheers,
> Jeremy

      reply	other threads:[~2021-08-20 16:20 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-18 13:54 Security Working Group meeting - Wednesday September 18 Joseph Reynolds
2021-08-18 17:33 ` Patrick Williams
2021-08-18 19:12   ` Joseph Reynolds
2021-08-18 19:32 ` Security Working Group meeting - Wednesday September 18 - results Joseph Reynolds
2021-08-19  0:49   ` Jeremy Kerr
2021-08-20 16:19     ` Joseph Reynolds [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).