Security Working Group meeting - Wednesday August 4

Joseph Reynolds jrey at
Wed Aug 4 08:57:52 AEST 2021

This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday August 4 at 10:00am PDT.

We'll discuss the following items on the agenda 
and anything else that comes up:

 1. (Joseph): IBM ACF design (2FA authentication for the special IBM
    service account) is in review -
 2. (Joseph): Updated password hash algorithm from MD5 to SHA512 (while
    keeping the same cleartext password)
 3. (Joseph): Change the SSH server per-session idle timeout to an hour
    (was unlimited)?  (Sent idea to upstream project
    yocto-security at
    <mailto:yocto-security at>.)  Alternatively, update
    both SSH and BMCWeb to 30 minutes.
     1. Guidelines:
         1. NIST SP800-63B requires a timeout of 30 minutes for
            "assurance level 2" (high confidence that the authentication
            is still valid), or 15 minutes for "assurance level 2" (very
            high confidence).
         2. OWASP suggests idle timeouts of 15-30 minutes.
     2. Alternatively, use the bash shell’s TMOUT variable?
     3. See Yocto discussion (representative archived email):

Access, agenda and notes are in the wiki: 

- Joseph

More information about the openbmc mailing list