From: Joseph Reynolds <firstname.lastname@example.org>
To: Jeremy Kerr <email@example.com>, openbmc <firstname.lastname@example.org>
Subject: Re: Security Working Group meeting - Wednesday September 18 - results - add idle timeout
Date: Fri, 20 Aug 2021 11:19:58 -0500 [thread overview]
Message-ID: <email@example.com> (raw)
On 8/18/21 7:49 PM, Jeremy Kerr wrote:
> Hi Joseph,
>> 5 How to add session timeouts to host console?
>> See the diagram in the README under
>> We thought obmc-console-client was the right place to implement the
>> timeout mechanism.
> OK, but that diagram doesn't really cover the detail you'd need to base
> such a decision on; there's the ssh server between port 2222 and the
> obmc-console-client program.
Here is my understanding of the code which establishes new connections.
My knowledge here is limited; please correct me or ad anything I missed.
1. The service to listen at port 2200 ("host console") is here:
2. That service uses systemd service files under:
3. The `obmc-console-ssh@.service` handles each new connection by
running dropbear which connects the instance to the obmc-console-client
When a network client reaches TCP port 2200, I understand the flow is:
1. When the obmc-console-ssh.socket gets a new connection, it activates
an instance of obmc-console-ssh@.service.
2. The obmc-console-ssh instance runs the dropbear program.
3. The dropbear program creates an SSH session which connects the
network session user to the obmc-console-client program.
Given that flow, I see the following choices for where to enforce an
1. Do systemd sockets have a timeout mechanism? I found controls for
when the listening socket is idle, but not for a socket handling
connection instance. However, my knowledge in this area is very limited.
2. The dropbear SSH server has a session idle timeout mechanism (command
line parameter: `dropbear ... -I 3600`).
3. Add a new parameter to the obmc-console-client. See
4. Run a new program between dropbear and obmc-console-client to provide
the idle timeout, for example, like the`screen` command with TMOUT set
to the desired timeout.
Of these options, I think the easiest is to have dropbear provide the
timeout, but note that OpenSSH does not provide an idle session
timeout. I believe the right solution is to add a timeout to
obmc-console-client, as proposed in obmc-console/issues/18.
> [obmc-console-client is just a *really* simple bridge between stdio and
> a unix domain socket. It doesn't own the network socket, nor do any
> authentication or authorisation]
> We can definitely do an optional timeout in obmc-console-client, but I
> want to make sure that's really what you want first.
prev parent reply other threads:[~2021-08-20 16:20 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-18 13:54 Security Working Group meeting - Wednesday September 18 Joseph Reynolds
2021-08-18 17:33 ` Patrick Williams
2021-08-18 19:12 ` Joseph Reynolds
2021-08-18 19:32 ` Security Working Group meeting - Wednesday September 18 - results Joseph Reynolds
2021-08-19 0:49 ` Jeremy Kerr
2021-08-20 16:19 ` Joseph Reynolds [this message]
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).