Security Working Group meeting - Wednesday August 4

Joseph Reynolds jrey at linux.ibm.com
Wed Aug 4 08:57:52 AEST 2021 

This is a reminder of the OpenBMC Security Working Group meeting 
scheduled for this Wednesday August 4 at 10:00am PDT.

We'll discuss the following items on the agenda 
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
and anything else that comes up:

 1. (Joseph): IBM ACF design (2FA authentication for the special IBM
    service account) is in review -
    https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/45201
    <https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/45201>
 2. (Joseph): Updated password hash algorithm from MD5 to SHA512 (while
    keeping the same cleartext password)
    https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/45214
    <https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/45214>
 3. (Joseph): Change the SSH server per-session idle timeout to an hour
    (was unlimited)?  (Sent idea to upstream project
    yocto-security at yoctoproject.org
    <mailto:yocto-security at yoctoproject.org>.)  Alternatively, update
    both SSH and BMCWeb to 30 minutes.
     1. Guidelines:
         1. NIST SP800-63B requires a timeout of 30 minutes for
            "assurance level 2" (high confidence that the authentication
            is still valid), or 15 minutes for "assurance level 2" (very
            high confidence).
            https://pages.nist.gov/800-63-3/sp800-63b.html
            <https://pages.nist.gov/800-63-3/sp800-63b.html>
         2. OWASP suggests idle timeouts of 15-30 minutes.
            https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration
            <https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration>
     2. Alternatively, use the bash shell’s TMOUT variable?
     3. See Yocto discussion (representative archived email):
        https://lists.yoctoproject.org/g/yocto-security/message/381
        <https://lists.yoctoproject.org/g/yocto-security/message/381>



Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group 
<https://github.com/openbmc/openbmc/wiki/Security-working-group>

- Joseph

More information about the openbmc mailing list