Add SSH session idle timeouts

[Joseph Reynolds <jrey@linux.ibm.com>]

OpenBMC community,

This is a proposal to add idle timeouts to SSH command shell sessions 
and host console sessions (ssh port 2200).  BMCWeb has login session 
idle timeouts per Redfish SessionService property SessionTimeout 
(hard-coded at 60 minutes), and I want similar timeouts for SSH sessions.

In this email, I am looking for discussion toward which interfaces 
should have a timeout, and a technical direction how to implement that 
timeout.  Details are below.

Joseph

_______________

Details


Which interfaces are affected?

As far as I know, the BMC currently has session idle timeouts for:
- HTTPS interface to the BMC's Web server - created via port 443
     Redfish SessionService at /redfish/v1/SessionService property 
"SessionTimeout"
- IPMI SOL interface to the BMC's host console - created via IPMI "sol 
activate" command

I want default timeouts for:
- Serial interface to the BMC's console - physical port
- SSH connections to the BMC's command shell - created via ssh port 22
- SSH connections to the BMC's host console - created via ssh port 2200

Help wanted with the following connections (should these have idle 
timeouts?):
- KVM-IP connections - created via REST API invocation
- USB-IP connections - created via REST API invocation
- Virtual Media - created via REST API invocation

I believe the following connections are sessionless or are covered by 
their own protocol:
- Session-less HTTPS invocations.
- Most IPMI commands, which are session-less.
- TFTP connections, which are covered by their own protocol.
- Subscriptions such as SNMP, which do not expire.
- mDNS, which is session-less.
- SLP, which is session-less.

The interfaces above were scraped from the [OpenBMC interface-overview][]
[OpenBMC interface-overview]: 
https://github.com/openbmc/docs/blob/master/architecture/interface-overview.md

Note the Yocto project declined to set a default for SSH session idle 
timeout, and instead intends to document security configuration items 
(including session idle timeouts).  See [Yocto email archive][].
[Yocto email archive]: 
https://lists.yoctoproject.org/g/yocto-security/message/383


Motivation:

I want the BMC to be able to comply with NIST requirements and OWASP 
recommendations:

[NIST SP800-63B][] requires a timeout of 30 minutes for "assurance level 
2" (high confidence that the authentication is still valid), or 15 
minutes for "assurance level 2" (very high confidence). [NIST 
SP800-63B]: https://pages.nist.gov/800-63-3/sp800-63b.html 
<https://pages.nist.gov/800-63-3/sp800-63b.html>
[OWASP session expiration][] suggests idle timeouts of 15-30 minutes. 
[OWASP session expiration]: 
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration 
<https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration>
The OpenBMC security working group generally agreed to establish these 
timeouts.  See the 2021-08-04 meeting of the OpenBMC Security Working Group.
Minutes: 
https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI


Which layer should implement the timeout?

Idle session timeouts can technically be implemented one one of three 
places:
1. In the communication layer, for example, the SSH client session can 
timeout.
2. In the application.  For example, the Bash shell TMOUT variable.
3. In a layer between the interface and the application.  For example, 
the "screen" application can provide a timeout function.

For example, suppose you want your host console sessions (ssh -p 2200) 
to time out and close the session.  OpenSSH does not offer an session 
idle timeout, and [obmc-console][] does not offer a timeout, so how can 
we provide this function?  One idea is to have the SSH server for port 
2200 connect to an application like "screen", set its TMOUT variable, 
and connect that to the console socket.  Or can we add timeout support 
directly to obmc-console?
[obmc console]: https://github.com/openbmc/obmc-console


TLDR:

This proposal is specifically for "session idle timeouts"; it does not 
include other kinds of timeouts such as timeouts in protocols to 
establish new connections.

NIST SP800-63B has additional guidelines such as periodic 
re-authentication (for example, re-enter password every 12 hours). I am 
not pursuing these at this time.

The Redfish spec has an API to configure Redfish session timeouts, but 
no property to configure other kinds of sessions.  I asked if this can 
be added in the public Redfish forum.
Here: 
https://redfishforum.com/thread/518/api-set-ssh-managerconsole-timeouts