From: Patrick Williams <patrick@stwcx.xyz>
To: Joseph Reynolds <jrey@linux.ibm.com>
Cc: openbmc <openbmc@lists.ozlabs.org>
Subject: Re: Security Working Group meeting - Wednesday August 4
Date: Tue, 3 Aug 2021 22:04:21 -0500 [thread overview]
Message-ID: <YQoDtQh0xjsMBWps@heinlein> (raw)
In-Reply-To: <89b3524f-a1b3-513c-fc6a-1d888e479238@linux.ibm.com>
[-- Attachment #1: Type: text/plain, Size: 2497 bytes --]
On Tue, Aug 03, 2021 at 05:57:52PM -0500, Joseph Reynolds wrote:
> 3. (Joseph): Change the SSH server per-session idle timeout to an hour
> (was unlimited)? (Sent idea to upstream project
> yocto-security@yoctoproject.org
> <mailto:yocto-security@yoctoproject.org>.) Alternatively, update
> both SSH and BMCWeb to 30 minutes.
Facebook has had this implemented in our BMC for a long time. We use to
have to patch SSH but that stopped working and we ended up using the TMOUT
variable. Relevant commits are [1,2].
> 1. Guidelines:
> 1. NIST SP800-63B requires a timeout of 30 minutes for
> "assurance level 2" (high confidence that the authentication
> is still valid), or 15 minutes for "assurance level 2" (very
> high confidence).
> https://pages.nist.gov/800-63-3/sp800-63b.html
> <https://pages.nist.gov/800-63-3/sp800-63b.html>
> 2. OWASP suggests idle timeouts of 15-30 minutes.
> https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration
> <https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration>
15 minutes seems more than enough to me. We have ours set to 5 minutes on the
console and 30 minutes on the SSH, but I think those are relatively arbitrary.
Ideally whatever you implement can be configured with a Yocto variable so if
someone feels your choice is "wrong" they can easily override it in their own
machine.
> 2. Alternatively, use the bash shell’s TMOUT variable?
Whatever you do, I think you need to take into account the serial console as
well. Not just SSH.
> 3. See Yocto discussion (representative archived email):
> https://lists.yoctoproject.org/g/yocto-security/message/381
> <https://lists.yoctoproject.org/g/yocto-security/message/381>
I agree with Richard even in the context of OpenBMC itself:
> There is never going to be one "right" solution for everyone but
> making it easy/clear for users to do it would be ideal (which includes
> making it easy for OpenBMC to configure what they need).
Whatever you pick someone is going to argue it is wrong.
1. https://github.com/facebook/openbmc/commit/8171ad7183269e3050f7f37b9b3956ce54b0ee87
2. https://github.com/facebook/openbmc/commit/59d7b23a9c2aa08efde19f913df446a82e1f6804
--
Patrick Williams
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2021-08-04 3:05 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-03 22:57 Security Working Group meeting - Wednesday August 4 Joseph Reynolds
2021-08-04 3:04 ` Patrick Williams [this message]
2021-08-04 3:22 ` Patrick Williams
2021-08-09 14:09 ` Security Working Group meeting - Wednesday August 4 - ibm-acf repo Joseph Reynolds
2021-08-04 3:28 ` Security Working Group meeting - Wednesday August 4 Patrick Williams
2021-08-04 18:43 ` Security Working Group meeting - Wednesday August 4 - all distro owners please review Joseph Reynolds
2021-08-04 18:47 ` Security Working Group meeting - Wednesday August 4 - results Joseph Reynolds
2021-08-04 20:09 ` Patrick Williams
2021-08-04 20:39 ` Joseph Reynolds
2021-08-04 20:49 ` Patrick Williams
2021-08-04 23:23 ` Patrick Williams
2021-08-06 17:10 ` Mihm, James
2021-08-04 23:47 ` Andrew Jeffery
2021-08-04 23:57 ` Ed Tanous
2021-08-05 13:55 ` Brad Bishop
2021-08-05 13:43 ` Brad Bishop
2021-08-05 15:54 ` Brad Bishop
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YQoDtQh0xjsMBWps@heinlein \
--to=patrick@stwcx.xyz \
--cc=jrey@linux.ibm.com \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).