Re: Security Working Group meeting - Wednesday September 18 - results - add idle timeout

From: Joseph Reynolds <jrey@linux.ibm.com>
To: Jeremy Kerr <jk@ozlabs.org>, openbmc <openbmc@lists.ozlabs.org>
Subject: Re: Security Working Group meeting - Wednesday September 18 - results - add idle timeout
Date: Fri, 20 Aug 2021 11:19:58 -0500	[thread overview]
Message-ID: <99bf8737-daec-1d75-42a8-3c5c3b08430a@linux.ibm.com> (raw)
In-Reply-To: <e6ff536d22764e44ac9444c50bad41d4b4a1d8c1.camel@ozlabs.org>

On 8/18/21 7:49 PM, Jeremy Kerr wrote:
> Hi Joseph,
>
>> 5 How to add session timeouts to host console?
>>
>> DISCUSSION:
>>
>> See the diagram in the README under
>> https://github.com/openbmc/obmc-console
>> <https://github.com/openbmc/obmc-console>.
>>
>> We thought obmc-console-client was the right place to implement the
>> timeout mechanism.
> OK, but that diagram doesn't really cover the detail you'd need to base
> such a decision on; there's the ssh server between port 2222 and the
> obmc-console-client program.

Here is my understanding of the code which establishes new connections.  
My knowledge here is limited; please correct me or ad anything I missed.
1. The service to listen at port 2200 ("host console") is here:
github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-phosphor/console/obmc-console_git.bb
2. That service uses systemd service files under:
github.com/openbmc/obmc-console/tree/master/conf
3. The `obmc-console-ssh@.service` handles each new connection by 
running dropbear which connects the instance to the obmc-console-client 
program.

When a network client reaches TCP port 2200, I understand the flow is:
1. When the obmc-console-ssh.socket gets a new connection, it activates 
an instance of obmc-console-ssh@.service.
2. The obmc-console-ssh instance runs the dropbear program.
3. The dropbear program creates an SSH session which connects the 
network session user to the obmc-console-client program.

Given that flow, I see the following choices for where to enforce an 
idle timeout:
1. Do systemd sockets have a timeout mechanism?  I found controls for 
when the listening socket is idle, but not for a socket handling  
connection instance.  However, my knowledge in this area is very limited.
2. The dropbear SSH server has a session idle timeout mechanism (command 
line parameter: `dropbear ... -I 3600`).
3. Add a new parameter to the obmc-console-client.  See 
https://github.com/openbmc/obmc-console/issues/18
4. Run a new program between dropbear and obmc-console-client to provide 
the idle timeout, for example, like the`screen` command with TMOUT set 
to the desired timeout.

Of these options, I think the easiest is to have dropbear provide the 
timeout, but note that OpenSSH does not provide an idle session 
timeout.  I believe the right solution is to add a timeout to 
obmc-console-client, as proposed in obmc-console/issues/18.

Joseph

>
> [obmc-console-client is just a *really* simple bridge between stdio and
> a unix domain socket. It doesn't own the network socket, nor do any
> authentication or authorisation]
>
> We can definitely do an optional timeout in obmc-console-client, but I
> want to make sure that's really what you want first.
>
> Cheers,
>
>
>
> Jeremy
>